Special theme Autonomous Vehicles - About | Aries...Open-Access Verification Framework by Franco...

ERCIM NEWSNumber 109 April 2017

www.ercim.eu

Special theme

Autonomous

VehiclesAlso in this issue:

Research and Society:

Virtual Research Environments

ERCIM News is the magazine of ERCIM. Published quar-

terly, it reports on joint actions of the ERCIM partners, and

aims to reflect the contribution made by ERCIM to the

European Community in Information Technology and Applied

Mathematics. Through short articles and news items, it pro-

vides a forum for the exchange of information between the

institutes and also with the wider scientific community. This

issue has a circulation of about 6,000 printed copies and is

also available online.

ERCIM News is published by ERCIM EEIG

BP 93, F-06902 Sophia Antipolis Cedex, France

Tel: +33 4 9238 5010, E-mail: [email protected]

Director: Philipp Hoschka, ISSN 0926-4981

Contributions

Contributions should be submitted to the local editor of your

country

Copyright�notice

All authors, as identified in each article, retain copyright of their

work. ERCIM News is licensed under a Creative Commons

Attribution 4.0 International License (CC-BY).

Advertising

For current advertising rates and conditions, see

http://ercim-news.ercim.eu/ or contact [email protected]

ERCIM�News�online�edition��

http://ercim-news.ercim.eu/

Next�issue

July 2017, Special theme: Blockchain Engineering

Subscription

Subscribe to ERCIM News by sending an email to

[email protected] or by filling out the form at the

ERCIM News website: http://ercim-news.ercim.eu/

Editorial�Board:

Central editor:

Peter Kunz, ERCIM office ([email protected])

Local Editors:

Austria: Erwin Schoitsch ([email protected])

Belgium:Benoît Michel ([email protected])

Cyprus: Ioannis Krikidis ([email protected])

France: Steve Kremer ([email protected])

Germany: Michael Krapp ([email protected])

Greece: Eleni Orphanoudakis ([email protected]), Artemios

Voyiatzis ([email protected])

Hungary: Andras Benczur ([email protected])

Italy: Maurice ter Beek ([email protected])

Luxembourg: Thomas Tamisier ([email protected])

Norway: Poul Heegaard ([email protected])

Poland: Hung Son Nguyen ([email protected])

Portugal: José Borbinha, Technical University of Lisbon

([email protected])

Spain: Silvia Abrahão ([email protected])

Sweden: Kersti Hedman ([email protected])

Switzerland: Harry Rudin ([email protected])

The Netherlands: Annette Kik ([email protected])

W3C: Marie-Claire Forgue ([email protected])

Editorial Information Contents

ERCIM NEWS 109 April 2017

JoINt ERCIM ACtIoNS

4 ERCIM Membership

5 2017 ERCIM Cor Baayen Young

Researcher Award -

5 ERCIM “Alain Bensoussan”

Fellowship Programme

5 HORIZON 2020 Project

Management

RESEARCH ANd SoCIEty

This section on Virtual Research

Environments has been coordintated

by Keith G. Jeffery and Pierre Guisset

(ERCIM)

6 Virtual Research Environments:

How Researchers Really

Collaborate

by Keith G. Jeffery and PierreGuisset (ERCIM)

7 VRE4EIC: A Europe-Wide

Virtual Research Environment to

Empower Multidisciplinary

Research Communities and

Accelerate Innovation and

Collaboration

by Keith G Jeffery (ERCIM)

8 Scientists’ Fundamental

Requirements to Deal with their

Research Data in the Big Data Era

by Yi Yin and Anneke Zuiderwijk(Delft University of Technology)

9 A Reference Architecture for

Enhanced Virtual Research

Environments

by Cesare Concordia and CarloMeghini (ISTI-CNR)

11 Smart Descriptions and Smarter

Vocabularies

by Phil Archer (W3C)

12 Making the Development and

Deployment of Virtual Research

Environments Easy and Effective

by Leonardo Candela, DonatellaCastelli and Pasquale Pagano (ISTI-CNR)

SPECIAL tHEME

The special theme section

“Autonomous Vehicles” has been

coordinated Erwin Schoitsch (AIT) and

Fawzi Nashashibi (Inria)

Introduction to the Special Theme

18 Autonomous Vehicles

by Erwin Schoitsch (AIT)

Invited Article

20 Automated Driving

by Daniel Watzenig (Virtual VehicleResearch Center, Graz)

22 Dependability for Autonomous

Control with a Probability

Approach

by Lan Anh Trinh, Baran Cürüklüand Mikael Ekström (MälardalenUniversity)

23 Safety and Security Co-engi-

neering of Connected, Intelligent,

and Automated Vehicles

by Christoph Schmittner, ZhendongMa, Thomas Gruber and ErwinSchoitsch (AIT)

25 Adaptive Autonomy Paves the

Way for Disruptive Innovations in

Advanced Robotics

by Baran Cürüklü (MälardalenUniversity), José-Fernán Martínez-Ortega (Universidad Politécnica deMadrid) and Roberto Fresco(CREA)

13 EPOS – European Plate

Observing System: Applying the

VRE4EIC Virtual Research

Environment Model in the Solid

Earth Science Domain

by Daniele Bailo and ManuelaSbarra

14 VRE in the Data for Science

Approach to Common Challenges

in ENVRIPLUS

by Zhiming Zhao, Paul Martin(University of Amsterdam) andKeith G. Jeffery (ERCIM)

16 A Virtual Research Environment

for the Oil and Gas Domain

by Jorge dos Santos Oliveira, JoséBorbinha and Ana Teresa Freitas(INESC-ID/IST, Universidade deLisboa)

ERCIM NEWS 109 April 2017 3

26 How the Digital Business Model

can Transform and Boost the Car

Industry

by Ioannis Chrysakis (ICS-FORTH)

27 RECAR: Hungarian Research

Centre for Autonomous Road

Vehicles is on the Way

by Zsolt Szalay, DomokosEsztergár-Kiss, Tamás Tettamanti(Budapest University of Technologyand Economics) and Péter Gáspár,István Varga (SZTAKI)

29 Adding Autonomous Features to a

Production Electric Car

by Péter Gáspár, Tamás Szirányi,Levente Hajder, AlexandrosSoumelidis, Zoltán Fazekas andCsaba Benedek (MTA SZTAKI)

31 An Integrated Software

Development Lifecycle for

Intelligent Automotive Software:

The W Model

by Fabio Falcini and Giuseppe Lami(ISTI-CNR)

32 Reliable Vehicular-to-Vehicular

Connectivity

by Lisa Kristiana, Corinna Schmitt,and Burkhard Stiller (University ofZurich)

34 Why is Autonomous Localisation

Required in Lateral Cooperative

Control?

by Tom van der Sande (EindhovenUniversity of Technology), JeroenPloeg (TNO) and Henk Nijmeijer(Eindhoven University ofTechnology)

35 Safe Human-Inspired Adaptive

Cruise Control for Autonomous

Vehicles

by Alessio Iovine, Elena De Santis,Maria Domenica Di Benedetto(University of L’Aquila) and RafaelWisniewski (Aalborg University)

36 Hello Human, can you read my

mind?

by Jonas Andersson, AzraHabibovic, Maria Klingegård,Cristofer Englund and VictorMalmsten-Lundgren (RISEViktoria)

RESEARCH ANd INNoVAtIoN

This section features news about

research activities and innovative

developments from European

research institutes

46 Bringing Business Processes to

the Cloud

by Kyriakos Kritikos and DimitrisPlexousakis (ICS-FORTH)

48 Shaping Future – A Method to

Help Orient Science and

Technology Development toward

Public Preferences

by Martina Schraudner and MarieHeidingsfelder (Fraunhofer IAO)

49 User-Centric Analysis of the

CAPTCHA Response Time:

A New Perspective in Artificial

Intelligence

by Darko Brodić, Sanja Petrovska,Radmila Janković (Univ. of

CALLS, IN bRIEf

Event

58 How Ecosystems of

e-Infrastructures can support

Blue Growth

Calls

59 Minerva Informatics Equality

Award

59 2017 Best Practices in Education

Award

In Brief

59 A Digital Humanities Award for

the EAGLE Project

37 Cross-Domain Fertilisation in the

Evolution towards Autonomous

Vehicles

by Christophe Ponsard, PhilippeMassonet and Gautier Dallons(CETIC)

39 Will the Driver Seat Ever Be

Empty?

by Thierry Fraichard (Inria)

40 Intelligent Environmental

Perception for Navigation and

Operation of Autonomous Mobile

Machines

by Robert Rößler, ThomasKadiofsky, Wolfgang Pointner,Martin Humenberger and ChristianZinner (AIT)

42 Avoiding Gridlocks in the

Centralised Dispatching of a Fleet

of Autonomous Vehicles

by Franco Mazzanti, Alessio Ferrariand Giorgio O. Spagnolo (ISTI-CNR)

43 Diagnosis of Deviations in

Distributed Systems of

Autonomous Agents

by Farhad Arbab (CWI)

44 Robust Fault and Icing Diagnosis

in Small Unmanned Aircrafts

by Damiano Rotondo and Tor ArneJohansen (NTNU)

Belgrade, Serbia), Alessia Amelio(Univ. of Calabria, Italy) and IvoDraganov (Technical University ofSofia, Bulgaria)

50 How to Secure Internet of Things

Devices in an Energy Efficient

Way

by Zeeshan Ali Khan and PeterHerrmann (NTNU)

52 Security Testing for Mobile

Applications

by Peter Kieseberg, Peter Frühwirtand Sebastian Schrittwieser (SBAResearch)

53 u'smile – Secure Mobile

Environments

by Georg Merzdovnik, DamjanBuhov, Artemios G. Voyiatzis andEdgar Weippl (SBA Research)

55 ARIES: Reliable European

Identity Ecosystem

by Nicolás Notario, Alberto Crespo(Atos), Antonio Skarmeta, JorgeBernal and José Luis Cánovas(Universidad de Murcia)

56 The KandISTI/UMC Online

Open-Access Verification

Framework

by Franco Mazzanti, Alessio Ferrariand Giorgio O. Spagnolo (ISTI-CNR)


ERCIM

Membership

After having successfully grown tobecome one of the most recognized ICTSocieties in Europe, ERCIM has openedmembership to multiple member institutesper country. By joining ERCIM, yourresearch institution or university candirectly participate in ERCIM’s activitiesand contribute to the ERCIM members’common objectives playing a leading rolein Information and CommunicationTechnology in Europe:• Building a Europe-wide, open network

of centres of excellence in ICT andApplied Mathematics;

• Excelling in research and acting as abridge for ICT applications;

• Being internationally recognised both asa major representative organisation in itsfield and as a portal giving access to allrelevant ICT research groups in Europe;

• Liaising with other international organi-sations in its field;

• Promoting cooperation in research, tech-nology transfer, innovation and training.

About ERCIM

ERCIM – the European ResearchConsortium for Informatics andMathematics – aims to foster collaborativework within the European research commu-nity and to increase cooperation withEuropean industry. Founded in 1989,ERCIM currently includes 15 leadingresearch establishments from 14 Europeancountries. ERCIM is able to undertake con-sultancy, development and educationalprojects on any subject related to its field ofactivity.

ERCIM members are centres of excellenceacross Europe. ERCIM is internationallyrecognized as a major representativeorganization in its field. ERCIM providesaccess to all major InformationCommunication Technology researchgroups in Europe and has established anextensive program in the fields of science,strategy, human capital and outreach.ERCIM publishes ERCIM News, a quar-terly high quality magazine and deliversannually the Cor Baayen Award to out-standing young researchers in computerscience or applied mathematics. ERCIMalso hosts the European branch of theWorld Wide Web Consortium (W3C).

benefits of Membership

As members of ERCIM AISBL, institutions benefit from: • International recognition as a leading centre for ICT R&D, as member of the

ERCIM European-wide network of centres of excellence;• More influence on European and national government R&D strategy in ICT.

ERCIM members team up to speak with a common voice and produce strategicreports to shape the European research agenda;

• Privileged access to standardisation bodies, such as the W3C which is hosted byERCIM, and to other bodies with which ERCIM has also established strategiccooperation. These include ETSI, the European Mathematical Society and Infor-matics Europe;

• Invitations to join projects of strategic importance;• Establishing personal contacts with executives of leading European research insti-

tutes during the bi-annual ERCIM meetings; • Invitations to join committees and boards developing ICT strategy nationally and

internationally;• Excellent networking possibilities with more than 10,000 research colleagues

across Europe. ERCIM’s mobility activities, such as the fellowship programme,leverage scientific cooperation and excellence;

• Professional development of staff including international recognition;• Publicity through the ERCIM website and ERCIM News, the widely read quarter-

ly magazine.

How to become a Member

• Prospective members must be outstanding research institutions (including univer-sities) within their country;

• Applicants should address a request to the ERCIM Office. The application shouldinlcude:

• Name and address of the institution;• Short description of the institution’s activities;• Staff (full time equivalent) relevant to ERCIM’s fields of activity;• Number of European projects in which the institution is currently involved;• Name of the representative and a deputy.

• Membership applications will be reviewed by an internal board and may includean on-site visit;

• The decision on admission of new members is made by the General Assembly ofthe Association, in accordance with the procedure defined in the Bylaws(http://kwz.me/U7), and notified in writing by the Secretary to the applicant;

• Admission becomes effective upon payment of the appropriate membership fee ineach year of membership;

• Membership is renewable as long as the criteria for excellence in research and anactive participation in the ERCIM community, cooperating for excellence, are met.

Please contact the ERCIM Office: [email protected]

“Through a long history of successful research collaborations

in projects and working groups and a highly-selective mobility

programme, ERCIM has managed to become the premier net-

work of ICT research institutions in Europe. ERCIM has a consis-

tent presence in EU funded research programmes conducting

and promoting high-end research with European and global

impact. It has a strong position in advising at the research pol-

icy level and contributes significantly to the shaping of EC

framework programmes. ERCIM provides a unique pool of

research resources within Europe fostering both the career

development of young researchers and the synergies among

established groups. Membership is a privilege.”Dimitris Plexousakis, ICS-FORTH, ERCIM AISBL Board


JointERCIM Actions

ERCIM “Alain bensoussan”

fellowship Programme

ERCIM offers fellowships for PhD holders from all overthe world. Topics cover most disciplines in ComputerScience, Information Technology, and AppliedMathematics. Fellowships are of 12 months duration,spent in one ERCIM member institute. Fellowships areproposed according to the needs of the member institutesand the available funding.

Application deadlines for the next round: 30 April and

30 September 2017

More information: http://fellowship.ercim.eu/

Call for Nominations

2017 ERCIM Cor baayen

young Researcher Award

The Cor Baayen Young Researcher Award is awarded eachyear to a promising young researcher in computer scienceand applied mathematics. The award was created in 1995 tohonour the first ERCIM President. The award consists of acheque for € 5000 together with an award certificate.

Eligibility

Nominees must have carried out their work in one of the'ERCIM countries': Austria, Cyprus, Finland, France,Germany, Greece, Hungary, Italy, Luxembourg, Norway,Poland, Portugal, Sweden and The Netherlands. Nomineesmust have been awarded their PhD (or equivalent) after 30April 2014. A person can only be nominated once for the CorBaayen Award.

The Cor Baayen award is a young researcher prize: Theselection panel will therefore consider the quality of the PhDthesis and all the achievements done up to the nominationdate.

The nominees must have performed their research during atleast one year in an institution located in one of the countriesmentioned above.

Submitting a nomination

Nominations have to be made by a staff member of anERCIM member institute. Self nominations are not accepted.Each institute can forward two nominations to the final eval-uation. If there are more than two nominations coming froman ERCIM member institute, it is the responsibility of thisinstitute to select the maximum two nominees. Nominationsmust be submitted online.

Selection

The selection of the Cor Baayen Young Researcher Awardwinner is the responsibility of the ERCIM Human CapitalTask Group, who might consult expert opinion in reachingtheir decision.

Deadline for nominations: 15 May 2017

Details and application form:

https://www.ercim.eu/human-capital/cor-baayen-award

The Cor Baayen Young Researcher Award is named after the

first president of ERCIM and the ERCIM 'president d'hon-

neur'. Cor Baayen played an important role in its foundation.

Cor Baayen was scientific director of the Centrum voor

Wiskunde en Informatica (CWI) in the Netherlands, from

1980 to 1994.

HoRIZoN 2020

Project Management

A European project can be a richly rewarding tool forpushing your research or innovation activities to the state-of-the-art and beyond. Through ERCIM, our member instituteshave participated in more than 80 projects funded by theEuropean Commission in the ICT domain, by carrying outjoint research activities while the ERCIM Office success-fully manages the complexity of the project administration,finances and outreach.

The ERCIM Office has recognized expertise in a full rangeof services, including identification of funding opportunities,recruitment of project partners, proposal writing and projectnegotiation, contractual and consortium management, com-munications and systems support, organization of attractiveevents, from team meetings to large-scale workshops andconferences, support for the dissemination of results.

How does it work in practice?

Contact the ERCIM Office to present your project idea and apanel of experts will review your idea and provide recom-mendations. If the ERCIM Office expresses its interest toparticipate, it will assist the project consortium as describedabove, either as project coordinator or project partner.

Please contact:

Philippe Rohou, ERCIM Project Group [email protected]

Research and Society: Virtual Research Environments

How researchers collaborate is per se a research topic!

Many scientific problems are related across different

domains: for example, the global climate changes involve

knowledge from eco-system, ocean, atmosphere and

earth as well as from energy science and human-related

activity modelling. Scientists face great challenges in

handling collaboration among different disciplines and in

modelling and discovering knowledge in massively

available data from a wide diversity of domains. Today,

data-driven approaches are considered as good

alternatives to drive scientific research activities.

Virtual Research Environments (VRE) are the online soft-ware systems enabling collaboration between researchersfrom different scientific domains. Creating efficient VRE isfocusing significant interest from the research community.The main scientific challenges are:• Data context issues (metadata)• Data heterogeneity issues• Fast-changing data issues• Data quality issues• Privacy issues• User experience issues• Software issues.

ERCIM is taking a leading role in Europe for drivingresearch activities in VRE, as demonstrated by the contribu-tions featured in this issue of ERCIM News.

We start with Keith Jeffery describing the heterogeneity ofResearch Infrastructures and their research communities andintroducing VRE4EIC (www.vre4eic.eu), an H2020 researchand innovation action led by ERCIM and targeting to over-come this heterogeneity.

Then, four contributions are highlighting critical aspects ofefficient VRE:• Yi Yin and Anneke Zuiderwijk (TU Delft, The Nether-

lands) are presenting the fundamental requirements for aVRE in the Big Data Era.

• Cesare Concordia and Carlo Meghini (CNR, Italy) aredocumenting a reference (software) architecture forenhanced VRE (e-VRE).

• Phil Archer (ERCIM/W3C) is addressing the issue relatedto metadata, by reporting on the The Smart Descriptions &Smarter Vocabularies Workshop (SDSVoc) hosted by CWIin Amsterdam end of 2016

• Leonardo Candela, Donatella Castelli and PasqualePagano (CNR, Italy) are proposing innovative methods formaking the development and the deployment of VRE aseasy and effective as possible.

And finally, three contributions are focusing on VRE usageand benefits in integrating Research Infrastructures:

• The European Plate Observing System (EPOS,https://www.epos-ip.org/) aims at creating a pan-Europeaninfrastructure for solid Earth science to support a safe andsustainable society, by Daniele Bailo and Manuela Sbarra(INGV, Italy).

• Zhiming Zhao, Paul Martin (both University of Amster-dam, The Netherlands) and Keith Jeffery are discussingthe aim to design and develop a suite of standard solutionsto those common problems based on the reference modelof environmental Research Infrastructures (ENVRI-RM,see http://www.envriplus.eu/) and the e-VRE architectureproposed by VRE4EIC.

• Jorge dos Santos Oliveira, José Borbinha and Ana TeresaFreitas (Universidade de Lisboa) are describing the designand development of a VRE for supporting studies usingmetagenomic data applied to the oil and gas domain.

Globally, 70.000 researchers are working in related scientificfields and thus are potential end users of new VRE. It is thusof the utmost importance to provide them with the most effi-cient tools to support them in their findings. This is the mis-sion of the VRE research community.

Please contact:

Keith G. Jeffery, Pierre Guisset, ERCIM,[email protected], [email protected]


Virtual Research Environments:

How Researchers Really Collaborateby Keith G. Jeffery and Pierre Guisset (ERCIM)


VRE4EIC: A Europe-Wide

Virtual Research

Environment to Empower

Multidisciplinary Research

Communities and

Accelerate Innovation

and Collaboration

by Keith G Jeffery

Research Infrastructures and their research

communities are heterogeneous. This is a barrier to

one community (re-)using the assets of another.

VRE4EIC aims to overcome this heterogeneity.

Research has increasingly become specialised into commu-nities such as oceanography, ecology, geology, materials sci-ence. However, many phenomena can only be understood bybringing together the research activities of several communi-ties. Examples include the relationship between shellfishpollution, algal blooms and agricultural use of nitrates or therelationship between health problems, climate and socialconditions. Recently, many communities have developedpan-European research infrastructures (RIs) bringingtogether several national research teams and assets such asdatasets, software, publications, expert staff, sensors andequipment. One way to assist and encourage interdiscipli-nary research is to bring together the communities and assetsof the RIs.

However, this collaboration comes with complications. Eachcommunity has developed its own standards for research

methods, data formats, software to be used, etc. This makesit difficult for an ecologist, for instance, to utilise oceano-graphic data. The heterogeneity is especially evident in dig-ital representations of data, software, people, organisations,workflows and equipment. However, many of these assetsare represented digitally by metadata providing a succinctdescription of the asset. The metadata standard chosenvaries from community to community. On the other hand,there is a limited set of basic things (entities or objects) thatare involved in research (for example, data, people, samples)and so the various metadata standards have some common-ality in the things they represent – although they do so in dif-ferent ways.

Thus, the ‘line of attack’ to provide multidisciplinarity forresearchers is to try to harmonise the metadata and thus gainaccess to – and (re-)utilisation of – the assets. There are twobasic approaches: the software broker approach providesmapping and conversion between pairs of metadata stan-dards. This results in n(n-1) convertor pairs. The alternativeapproach is to choose a canonical superset metadata standardand convert each metadata standard to/from that. Thisresults in n convertor pairs. This metadata-driven brokeringis now regarded as the best approach [1]. However, again wehave two choices; the canonical superset may be realisedphysically – so providing an ‘umbrella’ consistent metadataresource or catalog over all the participating RIs or thesuperset metadata may just be a reference syntax (structure)and semantics (meaning) and each RI provides its pair ofconvertors. The latter approach leads to an architecture withpeer RI to RI communication, requiring quite some softwareat each RI to interact with the other RIs and generate appro-priate workflows. The former leads to a system over the RIs– linked to them via Application Programming Interfaces(APIs) – commonly named a Virtual Research Environment(VRE), which has the advantage of a ‘helicopter view’ overthe participating RIs and so can generate workflows opti-mally. Either way, the core of a VRE is the superset catalog(whether conceptual or physical).

7

Figure�1:�e-VRE�architecture�coneptual�components.

ngivMo

turcethicrAcr Aencerefe Rthemo frng

etur

achnice T Tetheoteturcethic

l


VRE4EIC [L1] aims at providing a model for such VREs,

which includes requirements, reference architecture and

implementation on two use cases to demonstrate its feasi-

bility and innovative impact. VRE4EIC has chosen CERIF

(Common European Research Information Format: an EU

recommendation to Member States) [L2] to denote the

superset catalog.

In fact, a VRE provides more than access to the assets of RIs;

it also provides researcher intercommunication through var-

ious means and software to generate workflows to harness the

available analytics, visualisation and simulation capabilities

of the RIs. Ideally the VRE workflow should be optimised to

ensure co-location of data and software which means moving

data to the software from the various RIs participating or –

especially as datasets become larger – moving the software to

the data. This has implications in terms of access rights, pri-

vacy and security and in finding an equitable method of ‘pay-

ment’ for use of the RI assets. The VRE may also use e-Is (e-

Infrastructures) such as eternal curated storage or supercom-

puting services with the requirement to manage the deploy-

ment of (parts of) the workflow to these e-Is. The VRE

should assist the researcher with research management;

assisting in finding relevant research, assisting in research

proposals, tracking research portfolio and cataloguing

research outputs (such as scholarly publications, patents,

datasets, software) since increasingly funding organisations

utilise such information in planning future research pro-

grammes and in evaluating the quality of research proposals.

VRE4EIC has undertaken a considerable amount of require-

ments collection and analysis, and has characterised many RIs

to understand their available interfaces. The architecture has

been designed (Figure 1) and construction is underway. The

prototype will be evaluated by the RIs that are in the project

first, and then other RIs will be invited to evaluate the system.

In parallel, VRE4IC has been cooperating with other VRE

projects, notably EVER-EST in Europe but also – via the

VRE Interest Group of RDA (Research Data Alliance) – SGs

(Science Gateways) in North America and VLs (Virtual

Laboratories) in Australia. In parallel, the various metadata

groups of RDA, coordinated by Metadata Interest Group

(MIG), are working on a standard set of metadata elements –

to be used to describe RI assets in catalogs -– which are not

simple attributes with values but will have internal syntax

and semantics [2].

Links:

[L1] vre4eic.eu

[L2] www.eurocris.org/cerif/main-features-cerif

References:

[1] Stefano Nativi, Keith G. Jeffery, Rebecca Koskela:

“Brokering with Metadata”, ERCIM News 100,

http://kwz.me/W1

[2] Keith G Jeffery, Rebecca Koskela: “The Importance of

Metadata”, ERCIM News 100, http://kwz.me/W2

Please contact:

Keith G Jeffery

ERCIM Scientific Coordinator of VRE4EIC

[email protected]


Scientists’ Fundamental

Requirements to Deal with

their Research Data in the

Big Data Era

by Yi Yin and Anneke Zuiderwijk (Delft University of

Technology)

Collaboration among researchers from different

disciplines is becoming an essential ingredient of

scientific research. In order to solve increasingly

complex scientific and social conundrums, research

data needs to be shared among researchers from

different disciplines. New technologies pave the way

for unlimited potential for preserving, analysing and

sharing research information. The methods used to

leverage information technologies to deal with

research data vary significantly among scientists,

and likewise the requirements of individual

scientists vary.

The need for data sharing

Science requires the collection and use of research data. The

importance of data for science is equivalent to that of water

for life. The proliferation of information communication

technologies and other technological innovations has trans-

formed how scientific research is conducted. The new trend

in scientific research covers new research domains, funding

sources and way of disseminating research results. More data

is accumulated and scientists are more connected in the dig-

ital era, which is significantly changing all the phases of sci-

entific research. Modern scientific research, which is

increasingly data-intensive and complex, requires multidis-

ciplinary collaboration as well as the support of large-scale

research infrastructures and high-end experiment instru-

ments, such as artificial intelligence, ecology science, health,

biodiversity, culture and heritage research. In addition to

obtaining funding from governments, research institutes or

industries, crowdsourcing is also becoming a source of

funding for scientific research: the widespread use of

Kickstarter [L1] is a case in point. The way of communi-

cating research results and output is also evolving. Open

access and data sharing which allow everyone to access any

research data, not limited to scientific publications and

datasets, are increasingly favoured by society as a whole [1]

[2]. Virtual research environments (VREs) can be used to

support this more advanced type of research data sharing and

to support collaboration among researchers.

The needs of researchers

In order to understand the fundamental needs of scientists

to conduct various research activities in a VRE, ten inter-

views were conducted with scientists from different

research domains. End-user requirements were collected

for each of the activities in the lifecycle of scientific

research. The requirements for developing a VRE fall into

two categories: functional requirements, which describe

what the system should do; and non-functional require-

ments, which include quality or performance attributes.

https://www.vre4eic.eu/


Building on the outcomes of the ENVRIplus project [L2]the elicited functional requirements were grouped intoseven categories:• Data identification and citation, which covers the identifi-

cation of various types of research data and associatedmetadata and provides clear references for specificdatasets in terms of citation. The use of persistent andunique identifiers for both data and metadata we found tobe crucial for data identification and citation.

• Data curation, which includes all processes and activitiesto manage acquired datasets, for instance, detailed datamanagement planning and workflows for data manage-ment.

• Data Cataloguing, which refers to the collection and cat-aloguing of information for various categories associatedwith research activities, for instance experiment equip-ment, data processing software, data products, publica-tions, research individuals and organisations, researchevents and research objectives.

• Data processing, which covers the functionalities relatedto searching, processing and analysing data.

• Data provenance, which covers the functionalities to trackthe changes of datasets.

• Collaboration, training and support, which covers thefunctionalities related to research collaboration and train-ing, for instance user interface configuration, establish-ment of research groups and the supervision of researchprogress.

Besides the functional requirements, the non-functionalrequirements specify quality attributes related to functionalrequirements for a VRE. According to the interviewedresearchers, a quickly-accessible, reliable, easy-to-use, low-cost VRE is needed. Besides the performance-relatedrequirements, VREs also need to consider ethical, legal andprivacy and security perspectives according to the guidelinesand principles defined by the ‘European Charter for Accessto Research Infrastructures’ [L3]. The non-functionalrequirements are categorised into: • System performance related requirements defined by

FURPS+ and ISO 25010:2011, for instance performanceefficiency, usability, reliability, maintainability, compati-bility and portability of the information system.

• Privacy, security, trust and legal requirements, whichspecify that the whole development of the VRE shouldcomply with all legislations, especially how the use of theVRE should be robust against cyber-attacks in terms ofprotected information privacy and security regulated bythe new General Data Protection Regulation [L4]. Trustrequirements specify the acceptable behaviour of thestakeholders in the VRE system, such as users, systemdevelopers and service providers.

From the survey and from the existing VRE-related projects,we elicited various requirements regarding the whole life-cycle of scientific research. However, scientific research isevolving all the time, and it is unrealistic for the designedVRE system to cover all the evolving needs of scientists. Thedesigned VRE system therefore needs to be adaptive andflexible to connect to other existing research infrastructuresto collectively serve scientists’ needs.

Links:

[L1] www.kickstarter.com/[L2] www.envriplus.eu/[L3] ec.europa.eu/research/infrastructures/index_en.cfm?pg

=access_ri[L4] http://ec.europa.eu/justice/data-

protection/reform/index_en.htm

References:

[1] Fecher, B., Friesike, S., & Hebing, M. (2015). Whatdrives academic data sharing? Plos One, 10(2).doi:10.1371/journal.pone.0118053

[2] Zuiderwijk, A., & Janssen, M. (2014). Open data poli-cies, their implementation and impact: A framework forcomparison. Government Information Quarterly, 31(1),17-29. doi:10.1016/j.giq.2013.04.003

Please contact:

Yi Yin, Anneke Zuiderwijk Delft University of Technology, The [email protected], [email protected]

9

A Reference Architecture

for Enhanced Virtual

Research Environments

by Cesare Concordia and Carlo Meghini (ISTI-CNR)

Virtual Research Environments (VREs) are rapidly

becoming a popular technology for supporting scientists

during their research work. In order to overcome the

current heterogeneity, a reference architecture for VREs

is being developed by the VRE4EIC Project.

The goal of a Virtual Research Environment (VRE) system isto decouple science from ICT complexity, by providingresearchers with a facility that takes care of ICT, thusallowing them to focus on their work. In this sense, a VRE isa fundamental component of an e-Research Infrastructure (e-RI) as it makes the resources of the e-RIs easily accessibleand reusable to the community of researchers that owns thee-RI. Here, by e-RI we mean ‘facilities, resources and relatedservices used by the scientific community to conduct top-level research in their respective fields’ [L1] while ‘resource’indicates any ICT entity that is of interest in an e-sciencecommunity. Typically, a resource is owned by an e-RI thatprovides an identity for the resource and manages it, makingit accessible and re-usable. Examples of resources include:datasets, workflows, algorithms, web services, computa-tional or storage facilities, cloud endpoints etc. In general, aVRE is expected to:• allow researchers to communicate with each other and to

share and use the resources available in the community’se-RI

• allow researchers to advance the state of the art by build-ing new resources as the result of processing existingresources with the available tools. Such processing may be

http://ec.europa.eu/research/infrastructures/index_en.cfm?pg=access


the application of an individual piece of software to adataset, such as the extraction of certain knowledge froma single file; or, it may result from the execution of a com-plex workflow obtained by combining available services,including other workflows

• allow research managers to apply economy of scale mod-els to access and manage resources that researchers or sin-gle organisations alone could not afford.

The most advanced e-RIs have developed their own VRE,showing awareness of the crucial role that a VRE can playfor their researchers. Others are currently designing theirVRE. However, the number of currently existing or designedVREs is very limited; more importantly, these VREs show agreat heterogeneity in scope, features, underlying protocolsand technologies, partially defeating the interoperability goalthat lies at the very heart of a VRE. One of the major goals ofthe VRE4EIC project is to overcome this issue by proposinga reference architecture for an enhanced VRE (e-VRE).Based on a thorough analysis of the requirements of a VRE,and on the characterisation of an ample range of existingresearch infrastructures, the project has individuated threelogical tiers in e-VRE:• The Application tier, which provides functionalities to

manage the system, to operate on it, and to expand it, byenabling administrators to plug new tools and services intothe e-VRE.

• The Interoperability tier, which deals with interoperabilityaspects by providing functionalities for: i) enabling appli-cation components to discover, access and use e-VREresources independently from their location, data modeland interaction protocol; ii) publishing e-VRE functional-ities via a Web Service API; and iii) enabling e-VRE appli-cations to interact with each other.

• The Resource Access tier, which implements functionali-ties that enable e-VRE components to interact with eRIs’resources. It provides synchronous and asynchronouscommunication facilities.

In each tier, a set of basic functionalities has been groupedinto six conceptual components:

• The e-VRE management is implemented in the systemmanager component. The system manager can be viewedas the component enabling users to use the core function-alities of the e-VRE: access, create and manage resourcedescriptions, query the e-VRE information space, config-ure the e-VRE, plug and deploy new tools in the e-VREand more.

• The workflow manager enables users to create, executeand store business processes and scientific workflows.

• The linked data (LD) manager is the component that usesthe LOD (Linked Open Data) paradigm, based on theresource description framework (RDF) data model, topublish the e-VRE information space – i.e., the metadataconcerning the e-VRE and the e-RIs in a form suitable forend-user browsing in a semantic web (SM)-enabledecosystem.

• The metadata manager (MM) is the component responsi-ble for storing and managing resource catalogues, userprofiles, provenance information, preservation metadataused by all the components using extended entity-relation-al conceptual and object-relational logical representationfor efficiency.


• The interoperability manager provides functionalities toimplement interactions with e-RIs’ resources in a transpar-ent way. It can be viewed as the interface of e-VREtowards e-RIs. It implements services and algorithms toenable e-VRE to: communicate synchronously or asyn-chronously with e-RIs’ resources, query the e-RIs’ cata-logues and storages, map the data models.

• The authentication, authorisation, accounting infrastruc-ture (AAAI) component is responsible for managing thesecurity of the e-VRE system. It provides user authentica-tion for the VRE and connected e-RIs, authorisation andaccounting services, and data encryption layers for com-ponents that are accessible over potentially insecure net-works.

Each conceptual component is further structured into one ormore actual software components and possibly sub-compo-nents. The complete list of these components can be found in[1], which also provides the interfaces implemented by eachcomponent, and the usage relationships between such inter-faces. Each interface is in turn articulated into a set ofmethods, whose signature is also provided.For instance, the metadata manager component consists offour sub-components, each devoted to a specific metadatatype: the user, resource, preservation and provenance cata-logue. The project is now entering into its developmentphase, during which it will provide implementation for somecomponents, retrofitting them to existing VREs, in order toenhance them.

Link:

[L1] ec.europa.eu/research/infrastructures/index_en.cfm?pg=what

References:

[1] Carlo Meghini (ed.): “Architecture Design”, Deliver-able D3.1 of the VRE3EIC Project. Available ondemand by the project coordinator (seehttp://www.vre4eic.eu/).

Please contact:

Carlo Meghini, ISTI-CNR, Italy [email protected]

http://ec.europa.eu/research/infrastructures/index_en.cfm?pg=access


High level descriptions of any dataset are likely to be verysimilar (title, licence, creator etc.) but to be useful to anotheruser, the metadata will need to include domain-specificinformation. A high profile case is data related to specificlocations in time and space, and one can expect this to be partof the general descriptive regime. On the other hand, highlyspecialized data, such as details of experiments conducted atCERN, will always need esoteric descriptions.

An important distinction needs to be made between data dis-covery – for which the very general approach taken byschema.org is appropriate – and dataset evaluation. In thelatter case, an individual needs to know details of things likeprovenance and structure before they can evaluate its suit-ability for a given task.

A descriptive vocabulary is only a beginning. In order toachieve real world interoperability, the way a vocabulary isused must also be specified. Application Profiles define car-dinality constraints, enumerated lists of allowed values ofgiven properties and so on, and it is the use of these thatallows data to be validated and shared with confidence.Several speakers talked about their validation tools and it’sclear that a variety of techniques are used. Validation tech-

niques as such were out of scope for theworkshop, although there were manyreferences to the emerging SHACL [L3]standard. Definitely in scope howeverwas how clients and servers mightexchange data according to a declaredprofile. That is, apply the concept ofcontent negotiation not just to contenttype (CSV, JSON, RDF or whatever)but also the profile used. The demandfor this kind of functionality has beenmade for many years and proposalswere made to meet that demand infuture standardization work.The workshop concluded that a newW3C Working Group should be formedto:• revise and extend DCAT;• provide guidance and exemplars of its

use;• standardize, or support the standardi-

zation elsewhere, of content negotia-tion by profile.

A full report on the event is published by W3C [L4] alongwith the agenda that links to all papers and slides, and a com-plete list of attendees. The W3C membership is being con-sulted on the formation of the new working group, expectedto begin its work in May 2017.

Links:

[L1] www.eurocris.org/cerif/main-features-cerif[L2] www.w3.org/TR/vocab-dcat/[L3] www.w3.org/TR/shacl/[L4] www.w3.org/2016/11/sdsvoc/report

Please contact:

Phil Archer, [email protected]

Smart descriptions and

Smarter Vocabularies

by Phil Archer (W3C)

Sharing data between researchers, whether openly or

not, requires effort, particularly concerning its

metadata. What is the minimum metadata needed to

aid discovery? Once data has been discovered, what

metadata is needed in order to be able to evaluate its

usefulness? And, since it’s not realistic to expect

everyone to use the same metadata standard to

describe data, how can different systems interoperate

with the metadata that is commonly provided? These

topics and more were discussed in Amsterdam in late

2016.

The Smart Descriptions & Smarter Vocabularies Workshop(SDSVoc) was organized by ERCIM/W3C under the EU-funded VRE4EIC project and hosted by CWI in Amsterdam.Of 106 registrations, it is estimated that 85-90 peopleattended. The event comprised a series of sessions in which

thematically related presentations were followed by Q&Awith the audience, which notably included representativesfrom both the scientific research and government open datacommunities.

The workshop began with a series of presentations of dif-ferent approaches to dataset description, including theCERIF [L1] standard used by VRE4EIC, followed by aclosely related set of experiences of using the W3C’s DataCatalog Vocabulary, DCAT [L2]. It was very clear from thesetalks that DCAT needs to be extended to cover gaps thatpractitioners have found different ways to fill. High on thelist is versioning and the relationships between datasets, butother factors such as descriptions of APIs and a link to a rep-resentative sample of the data are also missing.

Participants�of�the�Smart�Descriptions�&�Smarter�Vocabularies�Workshop.�



Making the development

and deployment of Virtual

Research Environments

Easy and Effective

by Leonardo Candela, Donatella Castelli and Pasquale

Pagano (ISTI-CNR)

Virtual research environments are emerging as an

invaluable tool for scientists, enabling professionals in

different fields to collaboratively and seamlessly access

and use resources (computing, datasets, services)

spread across several providers. This solution is

particularly relevant in long-tail science contexts, i.e.,

when researchers and practitioner communities lack

dedicated resources to perform their research.

Implementing such a solution requires an approach that

is open, flexible, and can easily evolve.

Virtual Research Environments (VREs) are web-based, com-munity-oriented, collaborative, user-friendly, open-science-compliant working environments for scientists and practi-tioners working together on a research task [1]. They sharecommonalities with Science Gateways (SG) and VirtualLaboratories (VL). The overall goal is to provide scientistsand researchers with integrated and user friendly access todata, computing and other services that are usually spreadacross multiple diverse data and computing infrastructures.Furthermore, they are designed to enact and promote collab-oration among their members.

To develop and operate this type of working environment, itis necessary to: (a) develop a set of interoperability solutionsthat can interface the VRE services with the subset ofexisting resources that are relevant to a particular researchproject and offered by ‘third-party’ providers, (b) develop aset of basic user-friendly services promoting collaborativeand open-science-friendly interaction among the VRE mem-bers, (c) consider short and long term provisioning of boththe working environment and the products resulting from it.

Owing to these characteristics, the development and opera-tion of such environments is incompatible with ‘fromscratch’ and ‘isolated’ approaches. Developing and main-taining a ‘mediator’ to interface with a given e-infrastructurerequires significant investment in time and effort that can bebetter afforded by applying economies of scale and scope(namely, by using it in the context of many VREs).

To meet this need, we have designed and developed a tech-nology (actually, a software system) named gCube [2]capable of creating and operating an e-infrastructure offeringVREs with the ‘as-a-service’ paradigm.

gCube has been progressively endowed with: (i) a rich arrayof ‘mediators’ for interfacing with existing ‘systems’ andtheir enabling technologies including distributed computinginfrastructures (e.g., EGI) and data providers (e.g., by relyingon standards like OAI-PMH, SDMX, OGC W*S) as well as

for making it possible for third-party service providers toeasily exploit gCube facilities (e.g., OAuth, OGC W*S,REST APIs); (ii) a set of basic services including a sharedworkspace where the objects used and resulting from VREactivity (beyond simple files) can be stored, organised andaccessed as if they were in a ‘standard’ file-manager; a socialnetworking area where members of each VRE can have dis-cussions, share news and other material of interest, rate eachitem of a discussion, classify the discussion items by hash-tags, refer to people or groups thus to call for actions fromthem, etc.; a user management area where authorised peopleare allowed to manage VRE membership, to create groups,assign members to groups, assign roles to members, invitenew members, etc.; an open, customisable and extensible setof facilities made available for the needs of the specific com-munity. These include a project management and issue-tracking system with a wiki, a rich and extensible data ana-lytics platform, a flexible ‘products’ catalogue where any(research) artefact produced in the VRE that is worth beingpublished can be easily made available by equipping it withrich metadata including licence and provenance, a rich arrayof domain data management facilities. VREs are created byusing a wizard-based approach where a VRE designer issimply requested to select (among the existing ones) thefacilities and resources he/she is willing to have in the VRE,and then upon approval the VRE is automatically provi-sioned and made available by a web-based portal.

This technology is currently enacting the D4Science e-Infrastructure] and exploited to create and operate more than70 diverse VREs [L1]. Overall, these VREs are serving morethan 3,100 (returning) scientists in 44 countries across a richarray of diverse communities usually associated with inter-national initiatives and projects, e.g., i-Marine (fisheries andmarine biodiversity scientists), BlueBRIDGE (fisheries andaquaculture scientists, educators & SMEs), SoBigData.eu(social mining scientists), ENVRI+ (environmental scien-tists), AGINFRA+ (agriculture scientists), PARTHENOS(cultural heritage practitioners), EGIP (geothermal scien-tists), OpenAIRE-Connect (multidisciplinary communitydealing with scholarly communication and open science,EDISON (data science educators).

Link:

[L1] services.d4science.org/explore

References:

[1] L. Candela, D. Castelli, P. Pagano: “Virtual ResearchEnvironments: An Overview and a Research Agenda”Data Science Journal. 12, pp. GRDI75–GRDI81, 2013.DOI: http://doi.org/10.2481/dsj.GRDI-013

[2] M. Assante, et al.: “Virtual research environments as-a-service by gCube”, PeerJ Preprints 4:e2511v1 2016,https://doi.org/10.7287/peerj.preprints.2511v1

Please contact:

Leonardo CandelaISTI-CNR, Italy [email protected]

https://services.d4science.org/explore


From the above organisational architecture, it is quite clearthat EPOS integrated core services are an example of a virtualresearch environment (VRE). EPOS ICS is indeed currentlyone of the use cases that will take advantage of architectureparadigm developed by the VRE4EIC project [L2] at theimplementation stage.

An architectural model was developed in VRE4EIC, fol-lowing a rigorous method that started from the use cases,elicited the requirements, listed the system functionalitiesand finally developed an abstract architecture on the basis ofthe functionalities. The architecture is based on a modularparadigm, and the functionalities are implemented by anumber of core components. In order to validate theVRE4EIC components, EPOS has been selected as one ofthe use cases to demonstrate the robustness and scalability ofthe VRE4EIC model.

In the framework of EPOS ICS implementation, one of themain components is the metadata manager. As describedelsewhere [1], metadata is the main concept over which thewhole EPOS VRE – in agreement with the VRE4EIC model– builds upon. The metadata manager, implemented as ametadata catalog, contains all the information that the systemneeds to manage in order to satisfy a user request. It containsthe descriptions in a digital representation of the EPOS e-Infrastructure, including data, software, users and resourcessuch as computers, detectors or laboratory equipment. Asrecommended by VRE4EIC, it uses CERIF [L4] as a tool toharmonise information on research. CERIF describesdatasets but also software, services, users and resources suchas computers, datastores, laboratory equipment and instru-ments and has already been used in the context of environ-mental sciences [2].

Another key component of EPOS implementation is theinteroperability layer (Figure 1). This layer contains all thesub-components (mappers, convertors etc.) devoted to thecommunication with the national research infrastructure.One of its main functions is metadata exchange: metadata

from data providers should be harvested by theICS main system (the VRE). It requires theconstruction of mappers, to map the commu-nity specific metadata to CERIF, and conver-tors. When the metadata cannot be harvested,as in the case of provision of service based sys-tems (e.g., web mapping services that provideaccess to geological maps), the web servicesneed to be mapped in order to enable the VREto broker the access to data. This layer alsoincludes all the semantic mapping, which iscurrently one of the greatest challenges totackle. Examples of mapping from mostknown metadata ISO standards have beenstudied and implemented in the EPOS VRE[3] and in other contexts [2]. Mappings fromone metadata standard to another are currentlyunder development in VRE4EIC in the frame-work of WP4 with a dedicated tool, namely the‘3M’ (mapping memory manager) [L6] devel-oped by ICS-FORTH.

EPoS – European Plate

observing System:

Applying the VRE4EIC

Virtual Research

Environment Model in the

Solid Earth Science domain

by Daniele Bailo and Manuela Sbarra

The European Plate Observing System (EPOS) aims at

creating a pan-European infrastructure for solid Earth

science to support a safe and sustainable society. In

accordance with this scientific vision, the mission of

EPOS is to integrate the diverse and advanced European

Research Infrastructures for solid Earth science relying

on new e-science opportunities to monitor and unravel

the dynamic and complex Earth system.

The EPOS architecture [L1] is composed of three connectedtechnical and organisational layers (Figure 1):• National research infrastructures (NRI)• Thematic core services (TCS)• Integrated core services (ICS).

Multidisciplinary data and data products are organised andgoverned by the thematic core services (TCS) and are driven byvarious scientific communities encompassing a wide spectrumof Earth science disciplines (e.g., EIDA/ORFEUS in seis-mology [L3]). Such communities rely in turn on data providedat a national level by national research infrastructures (NRIs).

TCS data, data products, services and software will be inte-grated into integrated core services (ICS), a platform that willensure their interoperability and access to these services by thescientific community and other users.

Figure�1:�Key�elements�of�the�EPOS�Functional�Architecture



VRE in the data

for Science Approach

to Common Challenges

in ENVRIPLUS

by Zhiming Zhao, Paul Martin (University of Amsterdam)

and Keith G. Jeffery (ERCIM)

Environmental Research Infrastructures (RIs) face

common challenges regarding data management and

how best to support the activities of scientists at all

stages of the research data and experimentation

lifecycle. The ENVRIPLUS ‘Data for Science’ theme aims

to design and develop a suite of standard solutions to

those common problems based on the reference model

of research infrastructures (ENVRI-RM) and the e-VRE

architecture proposed by VRE4EIC.

Environmental science research is increasingly dependent onthe collection and analysis of large volumes of data gatheredvia wide-scale deployments of sensors and other observationsources. To study the development of earthquakes or volca-noes for example, one needs continuous observation of thesurrounding geographic regions and their underlying stratain order to obtain the data necessary to model various seis-mological processes and their interactions. Depending on theproblem scale and geographical focus, these observationscan only be provided by sources distributed across differentcountries, institutions and data centres. Moreover, suchresearch activities also often require advanced computingand storage infrastructure in order to analyse, process andmodel the data, and to perform simulations. Advancedresearch support environments (i.e., specialised infrastruc-ture to support research) are clearly needed to better enableresearchers to access data, software tools and services fromdifferent sources, and to integrate them into cohesive experi-mental investigations with well-defined, replicable work-flows for processing data and recording the provenance ofresults for peer review.

A recent publication [1] identified several kinds of supportenvironment that must be made to work together to supportdata-centric research:• computing, storage and network infrastructures, e.g., pro-

vided via EGI [L1], EUDAT [L2] and GEANT [L3], alsocalled e-Infrastructures (e-Is);

• services for accessing, searching and processing researchdata within different scientific domains, called ResearchInfrastructures (RIs), e.g., ICOS [L4], EPOS [L5] andEURO-ARGO [L6] for the atmospheric, earth and marinesciences respectively; and

• environments for providing user-centred support for dis-covering and selecting data and software services fromdifferent sources, and composing and executing applica-tion workflows based on them, called Virtual ResearchEnvironments (VREs) [L7] or Science Gateways (SGs)[2]. These different types of supporting environmentsoften overlap with each other, as shown in Figure 1.

Other components in the EPOS ICS system include: (a) anAAAI (Authentication, Authorisation, AccountingInfrastructure) module [L5], dedicated to the secure authenti-cation and authorisation of users also with different authenti-cation systems (SAML, OAuth, OpenID, X.509 and relatedproducts such as EduGAIN, Shibboleth, Kerberos andothers); (b) a system manager and a workflow engine, thatmanage the user request, establish the list of actions to beexecuted, execute the workflow and assemble the output.

In this context, VRE4EIC is providing the above architec-tural framework, together with state-of-the-art methods andbest practices, to enable any research infrastructure to get tothe level of a virtual research environment. Virtual researchenvironments enhance the functionalities of the researchinfrastructures, that usually provide access to domain spe-cific data, by widening the level of integrated informationavailable to the user. In the case of EPOS, information aboutspecific data, together with usage computational services andtutorial, training and other types of documentation that canenable any citizen scientist to have knowledge about solidEarth processes, will be available.

The innovation impact of the VRE4EIC architecture – basedon metadata brokered paradigms – is enormous and not yetfully exploited, especially in the environmental data domain,where the integration of different types of data (e.g., seismic,geological, geodetical) together with computational tool andremote collaborative tools, can help to monitor and unravelthe dynamics and the complexity of the Earth system.

Importantly, the use and re-use of data and the harmonisedaccess to services that the creation of VREs can enable, willfoster the creation of new scientific data products, which canbe made accessible through the same EPOS VRE platform.The potential impact of this new scientific delivery system forenvironmental sciences and for the society is still unexplored.

Links:

[L1] https://epos-ip.org/[L2] http://www.vre4eic.eu[L3] www.orfeus-eu.org/[L4] www.eurocris.org/cerif/main-features-cerif[L5] epos-ip.org/glossary/aaai [L6] 139.91.183.3/3M/

References:

[1] K. Jeffery, D. Bailo: “EPOS: Using Metadata in Geo-science. Metadata and Semantics Research, 170–184,204, http://link.springer.com/chapter/10.1007/978-3-319-13674-5_17

[2] E. Boldrini, et al.: “Integrating CERIF Entities in a Multi-disciplinary e-infrastructure for Environmental ResearchData”, Procedia Computer Science 2014 vol: 33 pp: 183-190.

[3] D. Bailo, et al.: “Mapping solid earth Data andResearch Infrastructures to CERIF”, 0, 9–11, 2016,http://dspacecris.eurocris.org/handle/11366/537

Please contact:

Daniele BailoEPOS Management Office ICT – INGV, Italy +39 06-51860728, [email protected]

https://epos-ip.org/glossary/aaai

http://139.91.183.3/3M/


Within the EU Horizon 2020 project ENVRIPLUS [L8], the‘Data for Science’ theme investigates and develops interop-erable solutions to common problems that environmental RIsface for managing data and supporting the activities of scien-tists throughout the research data and experimentation life-cycle, and encompasses work on the development ofcommon data services within a common semantic frame-work. Problems being addressed include: • how to identify and cite data from different sites or infra-

structures; • how to control the quality of nearly real-time data from

sensors and annotate them; • how to catalogue the data and to allow users to search and

access data from different sites or infrastructures; • how to support scientists to perform experiments using

data, software tools and resources from different remoteinfrastructures;

• how to effectively manage the infrastructure resources inthe scientific experiments and allow scientists to achievetheir goals more quickly; and

• how to effectively record the events and results generatedduring experiments so that scientists can reproduce them

independently. Sharing solutions to those common prob-lems will not only reduce development costs but also pro-mote interoperability between different infrastructures.

Besides being important pillars for user communities in theirrespective domains, environmental RIs are also intended tosupport interdisciplinary research as well as contributedirectly to cross-domain initiatives such as Copernicus [L9](contributing to GEOSS [L10]). This requires standard poli-cies, models and e-infrastructure to improve technologyreuse and ensure coordination, harmonisation, integrationand interoperability of data, applications and other services. The Data for Science theme follows a ‘Reference Modelguided’ approach. It builds upon abstract concepts derivedfrom the analysis of common operations of RIs and subse-quently defines an architectural reference model for environ-mental RIs in general. Early results from specific RIs in con-struction have been carefully reviewed in order to identifygood technology candidates for the realisation of the variouscommon services needed, and a number of interactions havebeen carried out at various levels with computational e-infra-structures (such as EGI), data infrastructures (such as

15

Figure�1:�Different

research�support

environments�and�the

role�they�play�in�ICT

activities�initiated�by�user

communities.

Figure�2:�Metadata

superset�recommendation

in�ENVRIPLUS�to

enable�future�interface�to

overarching�enhanced

virtual�research

environments�(e-VRE).


EUDAT), and other initiatives (such as VRE4EIC [L11]) thatwork on related issues. The e-VRE reference architecture inthe VRE4EIC project, for example, is being used to guide thedevelopment of interfaces to access data and softwareresources from ENVRIPLUS RIs. Figure 2 shows the basicidea.

ENVRIPLUS, a four year project, is approaching the end ofits second year. Version 2 of ENVRI RM is available; it hasbeen used to guide the design of new identification/citation,processing, optimisation, curation and cataloguing services.CERIF and CKAN have been recommended for prototypinga cross-RI catalogue service. The Open Information Linkingfor Environmental RIs (OIL-E) framework developed inENVRIPLUS has also been aligned with CERIF in collabo-ration with the metadata team in VRE4EIC. Furthermore, arecommendation for how to use metadata catalogues as abasis for constructing federated services at VRE-level forinteracting with individual RIs and underlying e-infrastruc-ture has been produced and introduced to the ENVRIPLUSRI community (see Figure 2).

Links:

[L1] www.egi.eu [L2] www.eudat.eu/[L3] www.geant.org/[L4] www.icos-infrastructure.eu/[L5] www.eposeu.org/ [L6] www.euro-argo.eu/[L7] www.jisc.ac.uk/rd/projects/virtual-research-environments[L8] www.envriplus.eu [L9] www.copernicus.eu/[L10]www.geoportal.org/[L11] www.vre4eic.eu

References:

[1] Zhiming Zhao, et al.: “Time critical requirements andtechnical considerations for advanced support environ-ments for data-intensive research”, Proc. IT4RIS work-shop Porto 29 November-2 December 2016.

[2] Mark A. Miller, Wayne Pfeiffer, Terri Schwartz: “TheCIPRES science gateway: enabling high-impact sciencefor phylogenetics researchers with limited resources”,in Proc. of XSEDE '12, ACM, New York, NY, USA,2012.

Please contact:

Zhiming ZhaoUniversity of Amsterdam, The [email protected]


A Virtual Research

Environment for the oil

and Gas domain

by Jorge dos Santos Oliveira, José Borbinha and Ana

Teresa Freitas (INESC-ID/IST, Universidade de Lisboa)

Microbial enhanced oil recovery gained a new meaning

with the development of metagenomics. This genomic

method involves identifying the collective genome of a

microbial community, including those that cannot be

cultivated in controlled conditions. However, this method

generates petabytes of genomic data, presenting specific

computational challenges, demanding the development

of new collaborative research platforms. The main goal of

this project is to develop a virtual research environment

(VRE) that can support studies using metagenomic data

with application to the oil and gas field.

In 2010, UK’s Joint Information Systems Committee (JISC)supported a landscape study on VREs. The research area withthe largest number of identified examples of VREs was arts andhumanities, followed by engineering and physical sciences andcomputer science, with biotechnology and biological sciencesin fourth place [1]. The prominence of biotechnology and bio-logical sciences VREs is interesting, given that there are usu-ally ethical concerns with sharing data in these domains.

The most popular examples of VREs with an impact inbiotechnology and biological sciences, are: (i)myExperiment [L1] – the main goal is to share and discussworkflows by providing networking tools to researchers; (ii)BioVel [L2] – a virtual e-laboratory which provides a graph-ical environment where researchers can design and constructanalysis pipelines, before they are deployed through theBioVeL Portal and myExperiment; (iii) DECIDE [L3] – aVRE that helps the medical community with patient exami-nation and diagnosis; and (iv) Genomics Virtual Lab [L4]that promises to take the IT out of bioinformatics by pro-viding a cloud-based suite of genomics analysis tools.

Several factors can be seen as a barrier for the adoption ofVREs in biotechnology and biological sciences, for instance,the complexity and consequent learning curve of such sys-tems, often requiring IT knowledge; the ‘cultural’ habit ofthe (error-prone) physical notepad; and the broader approachto most of the research topics.

A ready-to-use application that has organisational and time-saving advantages over a physical notepad is required inorder to increase the adoption of VREs in these domains. Inthis project, this particular question was addressed byacquiring feedback from laboratory teams during the devel-opment stages and by offering domain-specific informationthat is difficult to find just by browsing the web.

The new oil and gas VRE

This new oil and gas platform [L1] is a responsive web-basedworking environment, providing: (ii) workflow sharing, bothbioinformatics and bench; (ii) access to algorithms and tools;


(iii) access to databases and datasets related with biodegrada-tion and biosurfactants; (iv) access to processing resources;(v) access to storage resources; and (vi) access to social tools.

In particular, the sharing of tailor-made computational and benchworkflows is very useful in metagenomics research due to thenovelty, heterogeneity and size of the data that is generated.

Another main problem faced by VREs is their sustainability.Each VRE tends to create all services from scratch, usingresources that require high maintenance and large budgets.Consequently, activity within most VREs declines with timeand they become dead resources.

In order to overcome this important issue, we adopted thestrategy of relying on existing technology and resources asmuch as possible, using e-infrastructure standard APIs andformats, and following an API-first philosophy. For example,social share and discussion resources are Facebook,myExperiment and BitBucket; user authentication is basedon the Google Sign In platform; and Google Analytics toolwas integrated into the platform in order to provide real-timeand long-term statistics of the VRE usage. All this is build in

the flexible, cloud-friendly andJavaScript-centric MEAN Stack. ThisVRE also takes advantage of otherexisting specialised services, forexample for the BioSurfBD database[2].

The project team

This project started in 2015 as part of alarger initiative aiming to develop amultidisciplinary approach to identifyand characterise patterns of taxonomicand functional diversity of microbialcommunities present in reservoirs [3].

The project brought together more than20 researchers, from three researchinstitutes: (i) the Information andDecision Support Systems Lab (IDSS)research group from INESC-ID,Portugal, that has the knowledge todevelop the computational biologyalgorithms, databases and the VRE; (ii)the Bioinformatics Laboratory ofLNCC, Petropolis, Brazil, that isresponsible for providing workflowsand metagenomics sequencing data; and(iii) the Department of Biochemistry,Universidade Federal do Rio Grande doNorte, Brazil, that is responsible for thelaboratory experiments and feeding theVRE with data.

Due to its flexibility, this VRE can beused in other domains. For example, asimilar solution for the area of precisionmedicine has already been proposed.

Links:

[L1] www.myexperiment.org[L2] www.biovel.eu[L3] applications.eu-decide.eu[L4] nectar.org.au/[L5] aleph.inesc-id.pt/vre/, www.facebook.com/ogvre/

References:

[1] A. Carusi and T. Reimer: “Virtual research environmentcollaborative landscape study,” UK’s Joint InformationSystems Committee, Tech. Rep., 2010.

[2] J.S. Oliveira et al.:“BioSurfDB: knowledge and algo-rithms to support biosurfactants and biodegradationstudies,” Database 1-8, 2015.

[3] J.S. Oliveira et al.: “Biogeographical distribution analysisof hydrocarbon degrading and biosurfactant producinggenes suggests that near-equatorial biomes have higherabundance of genes with potential for bioremediation,”submitted to BMC Microbiology, 2017.

Please contact:

Jorge dos Santos Oliveira, University of Lisbon, Portugal+351.213100300, [email protected]

Figure�1:�Database�page,�an�example�of�the�gallery-style�sharing�platform,�where�users�can�view,

comment�and�review�tools,�or�even�submit�their�own.

Figure�2:�Home�page�of�the�oil�and�gas�VRE.

http://applications.eu-decide.eu/

http://nectar.org.au/

http://aleph.inesc-id.pt/vre/#/


Special theme: Autonomous Vehicles

Introduction to the Special Theme

Autonomous Vehicles -

by Erwin Schoitsch (AIT)

Highly automated and autonomous systems are currently akey issue in many application domains: automotive, trans-port in general (railways, metro-lines, aircraft, space,ships), industrial automation, health care, cooperatingmobile robots and related machines (e.g., fork lifts, off-road construction engines, smart farming, mining, all kindof drones and robots for surveillance, rescue, emergencyservices, maintenance). Highly automated andautonomous systems play an important role in the ‘digitaltransformation’ - the strategic and disruptive evolutiontowards a ‘digital society’, which is the key focus ofEuropean Research in Horizon 2020. This is depicted inFigure 1, which is taken from an official presentation ofDG CONNECT at various events.

At a European level, research initiatives in Horizon 2020include smart mobility and related applications for highlyautomated vehicles, such as those used in smart farming,marine, construction, logistics, manufacturing, smart citiesand even health care (elderly care homes, hospital environ-ments). This comprises general ICT research as well asdomain-related programmes.Some relevant programs are: • ECSEL (Electronic Compo-

nents and Systems for Euro-pean Leadership, a jointundertaking between the EC,national member states andprivate partners from theindustrial associationsARTEMIS, AENEAS andEPoSS),

• SPARC (robotics research, aPPP between EC and euRo-botics) and the

• ‘Large Scale Pilot’ Pro-grammes (e.g., in SmartFarming and Mobility),which are closely connectedto the ‘Internet of Things’Innovation Initiative (AIoTIand the EC).

At a national level in manyEuropean countries, substantial

research is being conducted on autonomous vehicles andin particular (highly) automated driving. These efforts arenot restricted to large countries like Germany and France -for example, the Austrian Federal Ministry for Transport,Innovation, and Technology (BMVIT) has launched a callto set up and run a public test region for automated vehi-cles, the ‘Austrian Light-vehicle Proving Ground’(ALP.Lab) starting in 2017. For another example see‘RECAR: Hungarian REsearch Center for AutonomousRoad vehicles is on the way’.There are many challenges to consider:• Safety and security, privacy, dependability in general

(see articles under ‘Generic Challenges’)• Sensors and actuators• Software development, life cycle issues• System integration• Connected vehicles, V2X connectivity • Cooperative driving and transport systems, systems-of-

systems aspects• New mobility (multi-modality enabled by highly auto-

mated/autonomous vehicles)

Technologies driving the digital transformation

Digital Transformation

Innovation in products,

processes and business models

AI and autonomous systemsRobotics, automation, machine learning, self-

driving,..

IoT (physical meets digital)Embedded software, sensors, connectivity, actuators, low

power ICT, lasers, …

Big data (value from knowledge)

Analytics, storage, Cloud HPC,..

4

Figure�1:�Technologies�driving�the�digital�transformation�

(source:�European�Commission,�DG�CONNECT,�W.�Steinhögl).


• Imulation and control• Verification and validation• Standardisation • Situation understanding, cognition, decision making • Path planning, (precision) maps, localisation and navi-

gation• Environmental awareness, self-learning, • Human interaction and (public) acceptance, and• Societal, ethical and legal aspects.

This includes impact from other sciences such as big data,IoT, artificial intelligence, communications and cloud,mechatronics and semiconductors, which contribute tomeet these challenges. Connected cooperativeautonomous vehicles are adaptive systems-of-systems. Inthis context, we have to consider several levels of systemautonomy: • the vehicle (robot) as such (level 1, local autonomy,

self-dependence), • the fleet/swarm/ad-hoc group of connected vehicles

(level 2, increased amount and chances for informationand adaptation of control), and

• the regional/global level 3 (throughput, environmentalfriendly operation, saving of resources), which needs tobe considered for traffic or logistics optimisation ormulti-modal transport, for instance.

There is a big difference between development and use inspecialised fields of application, where trained operatorsand/or structured environments are involved (like con-struction, manufacturing, on-site operations,railways/metros, aircraft and space) and where the generalpublic and public spaces set the requirements (road trans-port, smart cities/buildings/homes and care). ‘Mixedtraffic’ of autonomous and traditional vehicles is the mostdemanding scenario, and in urban environments the ‘vul-nerable road users’ (people, bicycles etc.) will still remainas partners (see also ‘Hello human, can you read mymind?’). Therefore, the Roadmaps for automated drivingforesee five levels of ‘take over’ from the driver, thehighest one being urban traffic. Similar levels are definedfor other transport systems like railways and aircraft (seearticle on ‘Cross-Domain Fertilisation in the Evolutiontowards Autonomous Vehicles’ and the key note).

For many businesses, ‘Digital Transformation’ will be dis-ruptive – some will vanish, some will change, but also newchallenges and chances will arise and roles change. Oneexample may be that for fully autonomous cars, insuranceand liability will become the OEM/manufacturer’s respon-sibility and no longer be with the driver, the driver’slicence will become a vehicle licence. With reduced indi-

vidual car ownership, OEMs may shift from pure selling tofleet management and maintenance of autonomous carfleets, because vehicles are then used mainly on demand(see also ‘How the Digital Business Model can Transformand Boost the Car Industry’).

This issue of ERCIM News covers many diverse aspectsof the Special Theme, without being able to claim com-pleteness.

The first group of contributions discusses rather genericchallenges, like dependability of autonomous controls,safety and security co-engineering (addressing connected,intelligent automated vehicles) and the chances for disrup-tive innovations in advanced robotics by adaptiveautonomy.

The largest block of articles is about automotive topics,ranging from the importance of new digital businessmodels for the car industry to particular applications, spe-cific development and technology paradigms and nationalresearch initiatives, including considerations for coopera-tive systems, connected vehicles and human factors andmodels for traffic safety and optimisation.

Several articles address cross-domain or very particularchallenges and technologies, including agriculture, rail-ways, ships and underwater robots, UAVs, machines,issues of swarm and fleet management in context of off-road and road vehicles, to name just a few.

References:

[1] ARTEMIS Strategic Research Agenda 2016,ARTEMIS Industrial Association, March 2016

(SRA 2016: https://artemis-ia.eu/publications.html )[2] MASRIA 2017 – Multi-Annual Strategic Research

and Innovation Agenda for ECSEL Joint Undertaking(AENEAS, ARTEMIS, EPoSS) https://artemis-ia.eu/publication/download/masria2017.pdf

[3] Position Paper Safetrans Working Group “Highlyautomated Systems: Test, Safety, and DevelopmentProcesses” (2016) (cited in: D. Watzenig, M. Horn(Eds.): “Automated Driving”, Springer 2016, ISBN978-3-319-31895-0)

Please contact:

Erwin Schoitsch, AIT Austrian Institute of [email protected]

Over the last three years, public authori-ties from many countries have presentedaction and innovation plans to facilitatethe development and stepwise introduc-tion of automated vehicles. Those planscover actions for a multitude of tech-nical and non-technical aspects that needto be taken into account. Several fore-casts predict a limited availability ofautomated driving functions by 2020(partial and conditional automation) anda wide availability by 2040 includinghigh and full automation [1], [2], [3].

In particular, substantially improvedvehicle and road safety is one of theexpected major achievements. However,the ultimate safety test for automatedvehicles will have to determine howwell they can replicate the crash-freeperformance of human drivers, espe-cially at the level of partial and condi-tional automation within mixed traffic.In order to be accepted by drivers andother stakeholders, automated vehiclesmust be reliable and significantly saferthan today’s driving baseline.

Automated vehicles by nature rely onsensing, planning, reasoning, and acting(or re-acting). A suite of vehicle sensors

based on different sensing modalities(such as radar, lidar and camera) alongwith external sources (V2X) anddetailed digital maps gather raw data ofthe vehicle’s environment, driving situ-ation, and ambient conditions.Sophisticated algorithms interpret thedata, process it, and convert it to com-mands for the actuators (steering,braking). Most of the state-of-practicevehicles and prototypes rely on in-vehicle sensors and require little digitalinfrastructure communication while agreater connectivity between vehiclesand their infrastructure is known to bebeneficial. This entails the developmentof common communication protocols,security standards, and investment innew types of infrastructure or upgradeof existing ones. Reproducible testingof such highly connected, cooperative,bi-directionally interacting, and auto-mated systems of systems has becomeone of the biggest challenges.

Figure 1 highlights the complex archi-tecture that has to be designed, imple-mented, validated, and finally qualifiedfor automotive purposes (ISO 26262and ISO PAS 21448 SOTIF). Reliabilityand safety (for occupants and other road

users) have to be guaranteed at anytime, in any weather conditions, and inany traffic situation.

As the technology for automateddriving develops, the research anddevelopment focus is shifting frombasic research towards demonstrationof technological readiness and 24/7availability of functions and systems. The shift of automated driving to thenext level of maturity requires severaltechnological advances and fields ofaction including (but not limited to):• Fail-operational behaviour (multiple

redundancy at low cost)• Assessing safety, reliability, and

robustness (independent and repro-ducible test)

• Harmonised driving scenarios (set ofagreed test scenarios)

• Self-learning, self-adapting, self-con-figuring architectures (qualifiableand certifiable)

• Demonstrating cybersecurity and pri-vacy

• Dependable power computing (1GByte/s of data has to be processedin real-time)

• Human factor (especially for SAEJ3016 level 3)

20


Invited Article

Automated driving

by Daniel Watzenig (Virtual Vehicle Research Center, Graz)

Automated vehicle technology has the potential to be a game changer on the roads, altering the

face of driving as we know it. Many benefits are expected, ranging from improved safety, lower

stress for car occupants, social inclusion, reduced congestion, lower emissions, and more efficient

use of roads due to optimal integration of private and public transport.

Figure�1:�Automated

driving�architecture.

• Environment modelling and percep-tion in real-time

• Advanced data fusion (low, intermedi-ate, high level fusion) and robust control

• Digital infrastructure embedding• Real-world data-driven engineering

feedback.

Despite tremendous improvements insensor technology over the last couple ofyears, pattern recognition techniques,robust signal processing, control systemdesign, computational power (multi-core and many-core technology), V2X,and other system technology areas,market introduction of a fully automatedvehicle that is capable of unsuperviseddriving in an unstructured environmentstill remains a long-term goal. Even forstructured environments, furtherresearch is needed to exploit the fullpotential of road transport automation.

One of the keys to succeed is the tightengagement of real-world data and vir-tual development methods to designnew or to improve existing vehiclefunctions and features as well asmethods, processes, and tools for devel-opment and validation. Figure 2 high-lights the ‘closed engineering loop’ inorder to improve methods, tools, andprocesses for virtual approval.

Seamlessly connecting models, data,and processes with openness to a certain

extent along the entire vehicle life-cyclewill significantly contribute to adecrease in road driving test kilometres,to lower development costs, and ulti-mately to improved reliability andsafety. Austria has already reacted inorder to strengthen its position withinEurope. The Austrian Federal Ministryfor Transport, Innovation, andTechnology (BMVIT) has launched acall to set up and run a public test regionfor automated vehicles. All relevantindustrial and academic partners fromthe automotive and infrastructuredomains have joined forces and are onthe way to establishing the AustrianLightvehicle Proving ground(ALP.Lab) starting in 2017 which willcover motorways, federal highways,urban areas, and border crossings toSlovenia.All of the above mentioned fields ofactivity need to be further investigatedto exploit the full potential in order toensure a safe, reliable, acceptable, andsecure behaviour of automated vehiclesembedded in their intelligent environ-ment at all times. Along with the tech-nological advances, progress in legisla-tion, liability, and insurance is essentialand urgently needed.Meanwhile many collaborativeEuropean research projects focusing ondifferent aspects of automated drivinghave been recently launched (e.g.,ENABLE-S3, Inframix, TrustVehicle

and AutoDrive) and several Europeaninitiatives (like ECSEL JU, EARPA,ERTRAC and SafeTRANS) are drivingthis topic forward, finally reflecting thestrong European movement in the fieldof automated driving.

Recommended reading:

D. Watzenig, M. Horn, Automateddriving – safer and more efficientfuture driving, Springer, ISBN 978-3-319-31895-0,http://www.springer.com/de/book/9783319318936, 2016.

References:

[1] Automated driving roadmap,European road transport researchadvisory council (ERTRAC), 2015.

[2] Roadmap on smart systems forautomated driving, Europeantechnology platform on smartsystems integration (EPoSS), 2015.

[3] ECSEL Austria, Austrian research,development & innovation roadmapfor automated vehicles,http://www.ecsel-austria.net/newsfull/items/automated-driving-roadmap.html, March 2016.

Please contact:

Daniel Watzenig, Virtual VehicleResearch Center, Graz, [email protected]


Figure�2:�The�use�of�real-world�data�to�develop�and�test�safety-critical�automated�driving�functions.

http://www.springer.com/de/book/9783319318936

A shift from automatic to autonomouscontrol has emerged in the developmentof robots. Autonomous control allowsthe robot to have freedom of movementas well the ability to directly interactwith humans as well as other robots in acollaborative environment. Having adependable platform for autonomouscontrol becomes absolutely crucialwhen building such a system.

The concept of dependability originallyderives from software development andcan be defined as ‘the ability to deliverservice that can justifiably be trusted’(Avizienis et al. [1]). The dependability ofa system is evaluated by one, several or allof the following attributes: availability,

reliability, safety, integrity, and maintain-ability. The implementation of depend-ability starts with an understanding of thethreats to the system’s dependability,which may include failures, errors, andfaults. Therefore, four means have beendeveloped to protect system depend-ability: fault prevention, fault removal,fault forecasting, and fault tolerance.

Mälardalen University is hosting a longterm project, DPAC – DependablePlatforms for Autonomous system andControl [L1], with the main aim ofimplementing dependability for differentplatforms for autonomous systems andtheir control. Within the profile, threemain fields are covered that includehardware with heterogeneous systemarchitecture (HAS), software design andautonomous control. In this project, thedependability of autonomous controlsystem plays a vital role.

A fault is the root of every failure occur-ring inside or outside of the system.Nevertheless, the most pressing chal-lenge is how to predict the frequency offaults and at what moment a faultoccurs, thus fault analysis is presented tominimise the probability of a fault and toestimate when faults will happen in thesystem. Thereafter, other means aredeveloped to protect the dependabilitywith respect to the analysis of faults.

Various approaches to fault analysis,such as Petri Net (PN), fault treeanalysis (FTA), failure modes effectsand criticality analysis (FMECA), andhazard operability (HAZOP) are intro-duced in the work of Bernardi et al. [2].

However, our research focusses on PN,since the PN framework provides notonly a probability approach for faultanalysis and fault prevention in bothdevelopment and operational stages ofdesigning a system but also for mitiga-tion of the implementation progress.For instance, as an extension of PN, astochastic Petri net can be combinedwith Markovian models to evaluate theprobability of current state and theprobability of future fault events for afault prognosis process. In our study[3], a coloured time PN is utilised forfault tolerance analysis of multi-agentsin a complex and collaborative context.

In our current research, three differentstages are considered to be imple-mented, which relate to three means:fault prediction, fault prevention andfault tolerance for autonomous control.For fault prediction, the probability

model is established to estimate thetime fails of the system. The time that afail could happen is modelled by anexponential distribution. The design ofthe autonomous control system can bepresented by a network of nodes like aPetri net and the fails are propagatedfrom one node to others. Each type offailure is computed by separated vari-ables and the hierarchy structure may betaken into account for a complicatedagent interaction. The probability of asuccessful task depends on the parame-ters of the system. Note that there aretwo types of parameters: those from theenvironment that cannot be changedi.e., non-configurable, and the othersthat are configurable. Correspondingly,

the probability of failures could be esti-mated based on the defined values ofthose parameters and the architecture ofautonomous systems.

After designing a mathematics model offault prediction with respect to config-urable parameters, expectation maximi-sation (EM) is applied to minimise fail-ures while taking into account hiddenparameters from the environment. Thisstage is actually the implementation offault prevention as we attempt to findthe best model for the system to avoidfurther failures in future.

Finally, the fault tolerance allows thesystem to continue to work even as failshappen. To do so, there are differentalgorithms and modules running in par-allel in the system. Each module willuse the fault prevention design asdescribed above. When one algorithm



dependability for Autonomous Control

with a Probability Approach

by Lan Anh Trinh, Baran Cürüklü and Mikael Ekström (Mälardalen University)

For the last decade, dependability – the ability to offer a service that can be trusted – has been the

focus of much research, and is of particular interest when designing and building systems. We are

developing a dependable framework for an autonomous system and its control.

Development Real system OperationsA framework

to analyze faultsA mechanism

to recover the system

even with the presence

of faults

Figure�1:�The�development�and�operational�stages�in�building�a�dependable�control�system.

or module fails, it is immediatelyreplaced by another. It is important tonote that the decision must be done inadvance i.e., before the fails happen,otherwise it could be too late. Again thefault analysis combined with an artifi-cial intelligence algorithm are used fordecision making.

Overall, this architecture allows all nec-essary means to be implemented to pre-serve the dependability of the system.Using a graphical probabilistic model,the means could be implemented in a

real robot to facilitate dependableautonomous control.

Link:

[L1] www.es.mdh.se/projects/414-DPAC

References:

[1] A. Avizienis, et al.: “Basicconcepts and taxonomy ofdependable and secure computing”,IEEE Transactions on Dependableand Secure Computing, 2004.

[2] S. Bernardi, J. Merseguer, D.C.Petriu: “Model-Driven

Dependability Assessment ofSoftware Systems”, Springer, 2013.

[3] T. Lan Anh, C. Baran, E. Mikael:“Fault Tolerance Analysis forDependable Autonomous Agentsusing Colored Time Petri Net”, 9thInternational Conference on Agentsand Artificial Intelligence,ICAART 2017.

Please contact:

Lan Anh Trinh Mälardalen University, [email protected]


Connected, intelligent, and autonomousvehicles transform traditionally mechan-ical and electrical cars into ‘networkedcomputers on wheels’. Along with themany technology breakthroughs andbenefits, challenges of safety and secu-rity become imminent and real. Theelectrical and electronic systems thatcontrol an automated vehicle are nolonger immune to cyberattacks com-monly seen in IT systems. A combinedsafety and security approach is neces-sary to address the challenges that havearisen in recent years, including co-engi-neering activities, methodologies, tech-niques, and a coherent approach in rele-vant standards.

The correct identification of safetyand security goals is the first step inthe development lifecycle of a system.The identification of hazards andassets reveals potentially vulnerableparts of a system. Subsequently, a firstconcept architecture for these parts isdefined which can then be analysed toidentify potential weaknesses, e.g., if afailure or an attack could trigger anintolerable risk. In both cases, require-ments are defined which aim at pre-venting such risks. Different methodsshould be used to address variousissues during the development life-cycle with different levels of detail.Figure 1 displays the most common

methods in the respective phases ofthe V-model.

A useful security technique is threatmodelling, which defines a theoreticalmodel of perceived threats to a system.We developed a systematic approach toapply threat modelling to automotivesecurity analysis and combined it withthe Failure Mode and Effect Analysis toFMVEA, Failure Modes, Vulnerabilitiesand Effects Analysis [1]. Threat model-ling should be performed in all phasesof the development lifecycle. Differentlevels of detail can be used along thelifecycle with different objectives ineach phase. In the concept phase, mod-

Safety and Security Co-engineering

of Connected, Intelligent, and Automated Vehicles

by Christoph Schmittner, Zhendong Ma, Thomas Gruber and Erwin Schoitsch (AIT)

Connected, intelligent, and autonomous vehicles pose new safety and security challenges. A systematic

and holistic safety and security approach is a key to addressing these challenges. Safety and security co-

engineering in the automotive domain considers the coordination and interaction of the lifecycles,

methodologies, and techniques of the two disciplines, as well as the development of corresponding

standards.

Figure�1:�Dependability�engineering�in�the�development�lifecycle.

elling results in high-level security andsafety requirements and security con-cepts. In the product developmentphase, it can define technical securityand safety requirements for functional,security and safety design. It can also beused to discover design vulnerabilityand flaws and to specify comprehensiverequirements that can be verified andvalidated in unit and integration testingin an iterative way in parallel to systemdesign and implementation. In the pro-duction and operation phase, it priori-tises risks and prepares penetrationtesting on completed automotive com-ponents and systems. A knowledge baseis continuously enriched by the outputfrom threat and failure modelling activi-ties, enabling the reuse of artefactsacross different projects. Further,related vulnerabilities and threats fromexternal sources are promptly incorpo-rated into the threat and mitigation cata-logue.

A new version of the automotive func-tional safety standard ISO 26262 is cur-rently under development. Although notsuited for completely autonomous cars,automated functions are considered to asignificantly higher degree than in thefirst edition. This is supported by the newstandard development SotIF (Safety ofthe Intended Functionality). SotIFdescribes nominal performance metricsfor sensor systems and automated func-tions. This regulates the area where asystem may cause a hazard without afailure in the traditional understanding.The processing algorithm made, basedon the received understanding of the

environment, a hazardous decisionwithout a fault in the system. This couldbe caused by a limitation in the sensoralgorithm or signal noise or insufficientperformance of a sensor. A newISO/SAE automotive security standardcompletes these activities. All three stan-dards need to consider the increasedinteraction and co-engineering betweensystem-, safety- and security- engineers.AIT is involved in the development of allthree standards and is a member of thecybersecurity and safety task group thatdeveloped the Annex. The goal of inter-action and communication points is tolay the groundwork for a workflow withshared phases [2].

AIT has further developed automotivesafety and security co-engineering inthe Artemis project EMC2 and demon-strated it for a Hybrid ElectricPowertrain control system of AVL. Inthe SCRIPT project, we applied thenewly published SAE J3061 standardfor conducting TARA in the develop-ment of a secure communicationgateway for autonomous off-road vehi-cles [3]. We are also working towardsan efficient and model-based approachto multi-concern assurance includingsafety; security, reliability, and avail-ability in the scope of ECSEL projectAMASS. AIT will take the next steptowards safe, secure and cost-efficientautomated driving in the ECSEL projectAUTODRIVE starting in 2017. Theinteraction point approach of ISO26262 Edition 2 will be the object ofresearch in the ECSEL project AQUASalso starting in 2017.

Links:

[L1] www.ait.ac.at/en/about-the-ait/center/center-for-digital-safety-security/

[L2] www.emc2-project.eu/[L3] www.tttech.com/company/

research-projects/austrian/script/ [L4] www.amass-ecsel.eu/

References:

[1] C. Schmittner, Z. Ma, E. Schoitsch,T. Gruber: “A Case Study ofFMVEA and CHASSIS as Safetyand Security Co-Analysis Methodfor Automotive Cyber-physicalSystems,” in 1st ACM Workshop onCyber-Physical System Security,Apr. 2015, ACM, pp. 69-80.

[2] E. Schoitsch, C. Schmittner, Z. Ma,T. Gruber: “The Need for Safety &Cyber-Security Co-engineering andStandardization for Highly Auto-mated Automotive Vehicles”,AMAA 2015, Berlin, Germany,July 2015.

[3] C. Schmittner, et al.: “Using SAEJ3061 for Automotive SecurityRequirement Engineering”, inInternational Conference on Com-puter Safety, Reliability, and Secu-rity, pp. 157-170. Springer, 2016.

Please contact:

Christoph Schmittner, Zhendong Ma,Thomas Gruber, Erwin Schoitsch AIT, [email protected],[email protected],[email protected],[email protected]



Figure�3:�SotIF�approach�combined�with

safety�and�cybersecurity�co-engineering.

Figure�2:�Iterative�threat�modelling�and�mitigation�during�the�development�lifecycle.


One of the major challenges in futurerobotics is to design systems that cancollaborate with each other. This is radi-cally different from classical robotautomation in which industrial robots,protected by fences, carry out repetitivetasks. The societal impact of theseadvances is not hard to imagine. In thiscontext, precision agriculture is a highlyrelevant application domain that is goingto be subject to disruptive innovations.The effects of climate change arealready influencing access to arable landand world population growth needs to betaken into account. Thus, there is a realrisk of food shortage in the future if wedo not develop autonomous systems thatcan collaborate to solve real-world com-plex problems. There is also a societaldimension to agriculture. If we look atagriculture and its short-term chal-lenges, we see that in many industrialcountries the depopulation of rural areasmakes it harder to find skilled labour.This, despite that fact that only 2-5% ofthe total work force work is in thissector. With depopulation comesreduced investment in these regions – ininfrastructure, for example. A livelycountryside is only a fiction if there areneither jobs nor services in these areas.

Adaptive autonomy in combination withadvanced human-robot interaction(HRI) could be part of the solution tothis problem. The former assumes thatthe level of autonomy of a system, e.g., afarm vehicle, is subject to change basedon its interactions with otherautonomous systems or humans.Developing generic agent architecturesto allow this to happen is a challenge.Advances in dependable hardware andsoftware systems are also needed, sincethey allow autonomous systems to besafe and reliable. For an agriculturalapplication, the overall system architec-ture is very complex, because it needs tobe configured for both the vehicle navi-gation system (i.e., prescription maps)

and for the farming task itself (i.e.,seeding, crop establishment, plant careand selective harvesting). Thus, a hugequantity of information, site conditions(i.e., soil conditions) and data must besensed and processed (involving sen-sors on board, actuators).

HRI is the other essential technology inthis context, since these technologies donot always allow seamless user-friendlyinteraction that is also highly regarded

by expert users. Lowering the cognitiveload is important for minimising haz-ards. As mentioned above, adaptiveautonomy agent architectures for robotscan only create complex interactionsthrough simple concepts such as ‘will-ingness to help’, and ‘willingness to askfor assistance’ [1]. The approach hereassumes a high degree of interactionand complex relations (see Figure 1),instead of complex agent architectures.Mälardalen University, Sweden, isinvolved in two projects in which adap-tive autonomy plays an important role:DPAC – Dependable Platforms forAutonomous Systems [L1], a nationalproject, and ECSEL JU fundedSWARMs – Smart and Networking

Underwater Robots in CooperationMeshes [L2]. The latter is coordinatedby the second author of this paper.

When adaptive autonomy is extended toadvanced robot-robot interaction andcombined with HRI, we have a systemfor precision control of a group ofautonomous systems by only a fewoperators. Therefore the role of a farmerchanges and he becomes a specialisedand innovative operator that can orches-

trate a heterogeneous set of robots. Notethat heterogeneity is an importantassumption in this context. Differenttypes, such as vehicles, robots, airbornesolutions, etc. will be used for findingthe right blend for a specific challenge.This will inevitably lead to mixedhuman-robot groups. For these groupsto function seamlessly the autonomoussystems need to be ethical [2].

Another research direction is under-water robots, which is associated withhazardous operations. In this applicationdomain, in the SWARMs project, thefirst and second author have assumedthat orchestration of the robots throughhigh-level planning is needed. Despite

Adaptive Autonomy Paves the Way

for disruptive Innovations in Advanced Robotics

by Baran Cürüklü (Mälardalen University), José-Fernán Martínez-Ortega (Universidad Politécnica de

Madrid) and Roberto Fresco (CREA)

Machines are going to become smarter with autonomy as the new standard. Consequently, new

services will emerge. For this to happen, however, we need a new approach to autonomy, which

assumes different levels – and perhaps more importantly, machines that can handle these different

levels. Adaptive autonomy is a means to achieving this goal.

A

B

A

B

g tincuexE

g

i

dd

cuexE

g tincu

iTno

s dnepedj T jn

Rs eviceeR

tseuqeR

plehd

dul

?plt heid

Figure�1:�A�high�degree�of�interaction�and�complex�relations.

the complexity of the missions, the oper-ator is only monitoring the mission,including generation and execution ofthe plan. In both application domains, aswell as other similar ones, the assump-tion is to minimise the intervention ofthe human operator. This is possible toachieve using autonomous systems. Inany case, adaptive autonomy contributesto advanced robot-robot interactionschemes. Therefore, collaborativerobots will get closer to humans workingin teams – and even outperform them incertain tasks.

Links:

[L1] www.es.mdh.se/projects/414-DPAC

[L2] swarms.eu/

References:

[1] M. Frasheri et al., TowardsCollaborative AdaptiveAutonomous Agents, Conf. ofICAART, 2017.

[2] G. Dodig-Crnkovic, B. Çürüklü,Robots – Ethical by Design. Ethicsand Information Technology,Springer, 2012.

Please contact:

Baran Cürüklü Mälardalen University, Sweden+46 (0)73-9607453 [email protected]



For many years, car manufacturers (orOEMs) have managed to increase theirsales by applying traditional businessmodels to the industry, and by continu-ously providing better customer experi-ences. In fact, the automotive industryhas created competitive advantagesthrough advances in the fields ofmechanical and electrical engineering.More precisely, improvements in valuedepend on being able to create morecost-effective engines, provide extrasafety packs that may include autobraking, chassis control etc. and fancymultimedia systems with a lot of con-nectivity functionalities (see Figure 1).However, these features are fairly easyto copy. For example, although multi-media screens that connect to Android oriOS devices were initially included byonly some car makers, they seem to havebecome a standard feature for theupcoming new models of almost allmanufacturers.

The digital disruption can potentiallytransform the car industry as it providesnew opportunities for smart andautonomous cars which can now com-municate, socialise and collaborate withother things, including other vehicles,traffic lights, mechanics, parking lotsand dealers, thus enabling them to par-ticipate in a broad ‘system of systems’[1]. New business models, though, arerequired in order to make manufacturers

defend their value by redesigning cus-tomer engagement and expectations.The concept of the digital businessmodel [2] can bring new capabilities tocustomers and the desired defendingvalue for OEMs. Some of the digitalservices that can be encapsulated in carsmay include insurance servicesaccording to driving style, travel sug-gestions, infotainment, monitoring cardiagnostics, driver health services etc.The autonomous cars of the futurecould run any kind of software in theirexisting multimedia screens offering agreat in-vehicle experience for drivers.

We will now present the digital businessmodel focusing on two dimensions ofexploiting software in the car industrythat are closely related to autonomousdriving behaviour. The first dimensionhas to do with location-based services.These may exploit maps and providedrivers with guidelines and information(gas stations, sights, traffic, shops etc.)according to their destination and acti-vate the auto-driving functionality forpreferable routes where it is applicable.Dedicated software could be developedby auto manufacturers or createdthrough collaboration with non-tradi-tional players like Google, Apple,Facebook or other start-up companiesby integrating their services and theircollected data. The partnershipsbetween OEMs, suppliers, and service

providers can benefit from sharing thecosts of autonomous vehicle tech-nology. On the other hand, OEMs inparticular need to maintain control overtheir individual value creation and theirpotential success in the emergingecosystems. The second dimension hasto do with remote-analytics that arebased on the live data analysis of thecar. The exploitation of analytics couldresult in more cost-effective and safedriving by providing service reports andfaults, active suggestions for fuel, typeof driving, safety warnings etc.

In both cases, the added value of guid-ance could be delivered through softwarethat requires access to satellite or mobilenetworks through the screens of each car.This software could boost car sales oralternatively it can be applied by using asubscription model to a centralised plat-form that shares specialised guidelinesper driver or/and per car. Finally, thismodel defends the value by producingmore autonomous cars that encapsulatethe above features, are self-driven andcan prevent failures. (See Figure 2).

In fact, a variety of companies havealready entered the ecosystem, seekingto capitalise on opportunities created bydigital disruption and the application ofdigital business models, for example,Automatic.com [L1] and moj.io [L2]which perform live car monitoring and

How the digital business Model can transform

and boost the Car Industry

by Ioannis Chrysakis (ICS-FORTH)

Moving from the traditional to the digital business model gives the opportunity to car manufacturers

and new non-traditional players of the car industry to create the autonomous cars of the future.

http://swarms.eu/


offer a lot of functionalities to con-nected cars. OEMs can collaborate withsuch companies or develop their ownsolutions by investing in new resourcesand technologies. Recently, Volvo [L3]announced that it uses machine learningalgorithms to expose predictive ana-lytics. Furthermore, the idea ofautonomous driverless cars gives great

opportunities for less cars, moreparking spaces and an eco-friendlymeans of regional transport to cus-tomers that could not be necessary theactual car owners. Thus, Ford, GM,Audi, BMW, Tesla, Nissan, Mercedes-Benz, and others have promised todeliver self-driving cars in the next fiveyears or so [L4].

Finally, since the disruptive technology-driven trends create new opportunitiesfor autonomous smart cars, OEMsshould align their strategic priorities todifferentiate their products and services,in order to reshape the value propositionand finally create the desired competi-tive advantage.

Links:

[L1] www.automatic.com/how-automatic-works/

[L2] www.moj.io/[L3] globalsmt.net/industry_news/

amazing-ways-volvo-uses-big-data-machine-learning-predictive-analytics/

[L4] www.wired.com/2017/01/self-driving-cars-approach-auto-industry-races-rebuild

References:

[1] D. Wollschläger, et al.: “Digitaldisruption and the future of theautomotive industry”. IBM Centerfor Applied Insights, September2015.

[2] O. A. El Sawy, et al.: “BusinessModelling in the Dynamic DigitalSpace: An Ecosystem Approach”,pp 13-20, Springer, 2012.

Please contact:

Ioannis Chrysakis,ICS-FORTH, Greece,+30 2810 [email protected]://www.ics.forth.gr/~hrysakis

Figure�1:�The�traditional�business�model�in�the�car�industry.

Figure�2:�The�digital�business�model�in�the�car�industry.

Info-communication technology is cre-ating big changes in road transportation(vehicles, infrastructure, and passen-gers) as well as society in general [1]. Inthe automotive industry, continuousexpansion of automation is occurring[2]. In Hungary to date, research proj-ects in the field of autonomous vehicleshave been performed separately and in

parallel, with little collaborationbetween institutes.

RECAR (REsearch Centre forAutonomous Road vehicles) is a com-prehensive organisation that helps itsmembers to combine their expertise toimprove research outcomes. RECAR’saim is to connect academic and indus-

trial expertise, as well as education andresearch, in order to facilitate thetraining of highly qualified profes-sionals and to strengthen research com-petences. As a first step in establishingRECAR, in January 2016 the leaders ofBudapest University of Technology andEconomics (BME), Eötvös LorándUniversity (ELTE) and Hungarian

RECAR: Hungarian Research Centre

for Autonomous Road Vehicles is on the Way

by Zsolt Szalay, Domokos Esztergár-Kiss, Tamás Tettamanti (Budapest University of Technology and

Economics) and Péter Gáspár, István Varga (SZTAKI)

RECAR is a Hungarian research centre for autonomous vehicle technology providing internationally

unique education and research with close cooperation with industrial partners. The research centre

has technologically advanced laboratories to facilitate high quality R+D+I activities. RECAR is also

expected to contribute to the increase in qualified workforce in the automotive industry in Hungary.

http://globalsmt.net/industry_news/amazing-ways-volvo-uses-big-data-machine-learning-predictive-analytics/

Academy of Sciences, Institute forComputer Science and Control (MTASZTAKI) signed the RECAR program’scollaboration agreement.

Based on international trends and incen-tives of national companies in the auto-motive industry, the partners initiatedtwo new master programs (MSc):Autonomous Vehicle ControlEngineering hosted by BME andComputer Science for AutonomousDriving hosted by ELTE. The founda-tions for the master programs havealready been laid down and the detailededucation plans are on the way togetherwith the elaboration of course materials.Importantly, the master programs werejointly defined by both academic andindustrial partners in order to addressreal industry needs. The programs willbe launched by 2018.

Laboratories that go beyond the state ofthe art are required to perform educationand research in the area of autonomousvehicle technology. The partners havedefined a testing and validation structureof five layers [3], including laboratoriesthat serve both educational and researchneeds (Figure 1). The laboratory testsare composed of technology researchlabs, component analysis labs, systemintegration labs, and last but not least avehicle-in-the-loop lab. The labs willhave unique and high quality equipmentwith most of the functionalities requiredfor autonomous vehicle developmentand testing.

Several new research projects, whichtake advantage of the technologyoffered by these innovative laborato-ries, will begin in the near future(Figure 2). The research topics weredefined based on current internationaltrends as well as initiatives of the indus-trial partners. The research topics alsoreflect the EU’s recent Gear 2030 bodyactivities that aim to formulate a har-monised and competitive Europeanvision for the ‘Connected Car andAutomated Driving’. Accordingly, thework will be realised in the form ofongoing industrial projects and researchcollaboration by seven main researchgroups (with examples):1. Development of autonomous vehicle

demonstration platform:• autonomous vehicle prototype

development• demonstration of autonomous

functions;



Figure�1:�Autonomous�vehicle�testing�and�validation�layers�[3].

Figure�2:

Example�research

topics.

Figure�3:

Automotive

proving�ground

dedicated�to

autonomous

vehicle�testing

and�validation�at

Zalaegerszeg.


2. Control of autonomous vehicles:• cooperative vehicle control• optimal trajectory planning• cooperative navigation• vehicle motion measurement and

estimation;3. Communication systems within and

among vehicles:• wireless communication of vehi-

cles (V2X)• distributed measurement and infor-

mation processing cyber securityof autonomous vehicles;

4. Environment sensing of autonomousvehicles:• optimal sensor architecture• environment sensing based on

multi-sensor fusion• radar-sensor based target classification;

5. Intelligent transportation systems:• advanced road traffic control• energy consumption optimisation• urban parking and space management;

6. Interaction of human andautonomous vehicles:• information management• human factors• liability of autonomous vehicles;

7. Testing and validation of autonomousvehicles: relevant research subjects tothe test track.

A new test track will also be establishedbeside the research centre (close to thecity of Zalaegerszeg, Hungary) throughan investment of 130 million Euros by2019. The planned proving ground(Figure 3) is specifically dedicated totesting autonomous vehicle functionali-ties in an urban environment (with gen-eral roadside objects, city traffic ele-ments, building facades and traffic infra-structure). The 250 ha area will incorpo-rate the following test features:• standard vehicle dynamics testing and

validation,• fully integrated autonomous vehicle

testing and validation,• environment preparation (obstacles,

traffic signs, traffic control, othervehicles, vulnerable road users),

• complex driving and traffic situations,• Smart City features,• from prototype testing through to

series production testing and valida-tion.

The use case vision is level 4autonomous driving from suburbanhome to city office and valet parking(rural road, highway traffic, suburbanarea, city environment with continuoustransition) [3].

Link: http://recar.bme.hu/eng

References:

[1] T. Tettamanti, I. Varga, Zs. Szalay:“Impacts of autonomous cars froma traffic engineering perspective”,Periodica Polytechnica ser. Transp.Eng., 2016, Vol. 44. No.4. pp. 244-250, doi: 10.3311/PPtr.9464I

[2] A. Alessandrini, et al.: “AutomatedVehicles and the Rethinking ofMobility and Cities”,Transportation Research Procedia,2015, Vol. 5, pp. 145-160, ISSN2352-1465,http://dx.doi.org/10.1016/j.trpro.2015.01.002.

[3] Zs. Szalay: “Structure andArchitecture Problems ofAutonomous Road Vehicle Testingand Validation”, 15th MiniConference on Vehicle SystemDynamics, Identification andAnomalies – VSDIA 2016, 2016.

Please contact:

Domokos Esztergár-KissBudapest University of Technology andEconomics, [email protected]

The development of intelligent – andparticularly self-driving – cars has beena hot topic for at least two decades now.It ignited heated competition initiallyamong various university and R&Dteams, later among vehicle engineeringenterprises and more recently amonghigh-profile car manufacturers and IT-giants. An autonomous car relies onmany functions and comprisesnumerous subsystems that support itsautonomous capabilities. These includeroute-planning, path-planning, speedcontrol, curb detection, road and lanedetection and following, road structure

detection, auto-steering, road sign andtraffic light detection and recognition,obstacle detection and adaptive cruisecontrol, vehicle overtaking, auto-parking [1]. Apart from the mechanicalstate of the car and the geometrical andmechanical properties of the actualroad, it is important to know the geo-graphical context and the kind of envi-ronment the car moves in to achievevehicular autonomy.

To gain first-hand experience in thishot R&D arena and to implement someof the aforementioned functions, a

project for adding autonomous vehiclefeatures ‒ together with associatedautomatic control ‒ to a productionelectric car was launched by theComputer and Automation ResearchInstitute, Budapest, Hungary in 2016.Two of the institute’s research labora-tories are involved in the project: onewhich deals with the theory and theapplication of automatic control(among various other fields in the areaof vehicle dynamics and control), andone which is engaged in machine per-ception. These closely related overlap-ping research interests and experiences

Adding Autonomous features

to a Production Electric Car

by Péter Gáspár, Tamás Szirányi, Levente Hajder, Alexandros Soumelidis, Zoltán Fazekas and Csaba

Benedek (MTA SZTAKI)

A project was launched at the Institute ‒ relying on interdepartmental synergies ‒ with the intention

of joining the autonomous vehicles R&D arena. In the frame of the project, demonstrations of the

added capabilities ‒ appreciably making use of multi-modal sensor data ‒ in respect of path-

planning, speed control, curb detection, road and lane following, road structure detection, road sign

and traffic light detection and obstacle detection are planned in controlled traffic environments.

http://dx.doi.org/10.1016/j.trpro.2015.01.002

offer a great opportunity for R&D syn-ergy.

A Nissan Leaf electric car was fitted upwith a heavy-duty roof rack, which sup-ports an array of sensors, namely sixRGB cameras and two 3D scanningdevices: a LIDAR with 16 and one with64 beams. A further LIDAR with 16beams is mounted onto the front of thecar. These devices view and scan thespatial environment around the host carand explore the traffic and road condi-tions in the vicinity. The test car is alsoequipped with a high-precisionnavigation device ‒ which includes aninertial measurement kit ‒ and a profes-sional vehicle-diagnostic device whichcan access data from the built-in vehic-ular sensors that are necessary for theautonomous control. Given that the caris fully electric and equipped with a hostof computing and measurement facili-ties with considerable power consump-tion, provisions for recharging the bat-teries had to be made: a fast charge-pointwas installed in the institute’s carport.

In order to obtain metric informationfrom the image and the range sensors,they need to be calibrated to each other.However, the data coming fromLIDARs and RGB cameras, respec-tively, are of different modalities: theformer build up spatial point clouds,while the latter form colour imagesequences. Recently, a fast and robustcalibration method ‒ applicable toeither, or both of these modalities ‒ wasdeveloped [2]. The method uses aneasy-to-obtain fiducial (e.g., a card-board box of uniform colour). This is anadvantage over other methods as itallows the sensors to be transferredbetween vehicles when required. Thesensor calibrations ‒ required becauseof the different geometrical configura-tions that can be conveniently set up ondifferent vehicles ‒ can be carried outwithout much fuss. The idea is that thementioned fiducial can be easilydetected both in 2D and 3D spaces,thereby the calibration problem is trans-formed into one of 2D-3D registration.Two point clouds which have been reg-

istered using this approach are shownmerged in Figure 2.

The data collection and recording of tra-jectory, video, point cloud and vehicularsensor data is performed in urban areason public roads near Budapest. Presently,detection of cars, pedestrians, road struc-tures and buildings are on the agenda [3].The collected data is used in the design,simulation and testing of the algorithmsand modules implementing theautonomous operation of the car. The testruns ‒ testing the autonomous featuresand control developed for the project car‒ will initially take place in closed indus-trial areas and on test courses.

This kind of data can also be utilised invarious mapping, surveying, measure-ment and monitoring applications inconjunction with roads (e.g., forassessing the size distribution of pot-holes, for measuring the effective widthof snow/mud/water-covered roads),traffic (e.g., measuring the length andthe composition of vehicle queues) andbuilt environment (e.g., detectingchanges in the road layout, detectingroadwork sites, broken guard-rails,skew traffic signs).

Link:

www.sztaki.hu/en/science/projects/lab-autonomous-vehicles

References:

[1] Z. Fazekas, P. Gáspár, Zs. Biró andR. Kovács (2014) Driverbehaviour, truck motion anddangerous road locations –unfolding from emergency brakingdata. TRE, 65, 3-15.

[2] B. Gálai, B. Nagy and Cs. Benedek(2016) Cross-modal point cloudregistration in the Hough space formobile laser scanning data. IEEEICPR, 3363-3368.

[3] D. Varga and T. Szirányi (2016)Detecting pedestrians insurveillance videos based onconvolutional neural network andmotion. EUSIPCO, 2161-2165.

Please contact:

Péter Gáspár, MTA SZTAKI, Hungary+36 1 279 [email protected]



Figure�1:�A�host�of�image�and�range�sensors�are�mounted�onto�the�electric�test�car.

Figure�2:�Two�point�clouds�recorded�simultaneously�in�street�traffic�with�the�two�small�LIDARs

‒�mounted�on�the�car�shown�in�Figure�1�‒�are�merged�after�registration.�The�green�dots

represent�the�point�cloud�taken�with�the�front�LIDAR�(not�visible�in�Figure�1),�while�the�red

dots�are�from�the�small�(visible)�LIDAR�on�the�roof�rack.


Deep learning is a branch of machinelearning based on a set of artificial neuralnetwork (ANN) algorithms that modelhigh-level abstractions in input data byusing a deep graph representation madeof multiple processing layers [1].

The introduction of deep-learning tech-nology on board cars is starting to have asignificant effect on the automotive soft-ware engineering that needs to incorpo-rate and harmonise the development ofthese technologies [2].

The software development process foron board automotive electronic controlunits (ECUs) is subject to proprietaryOEM norms as well as several interna-tional standards. Among them, the mostrelevant and influential standards fordeep learning are Automotive SPICEand ISO 26262. Needless to say, thesestandards are still far from addressing itwith dedicated statements.

The Automotive SPICE standard –SPICE stands for “Software ProcessImprovement and CapabilitydEtermination” – provides a processframework that disciplines the softwaredevelopment activities. ISO 26262,titled ‘Road Vehicles – FunctionalSafety’, released in late 2011, targetssafety-related development and its scopeexpectedly includes system, hardwareand software engineering.

Both standards, as far as the software isconcerned, rely conceptually on the tra-ditional development lifecycle: the V-model. Also very relevant for deeplearning is the ISO PAS ‘Safety of theIntended Functionality’ (ISO/TC 22N356).

Because of its pervasive adoption andits holistic coverage of the automotivesoftware development processes,Automotive SPICE standard can berecognised as the appropriate refer-ence.

The software side of deep neural net-work (DNN) development is a highlyiterative activity composed by a streamof steps in an end-to-end fashion, asshown in Figure 1.

Compared with traditional approaches,the deep learning development processneeds the support of empirical designchoices driven by heuristics.Development often starts from well-known learning algorithms, which havebeen proven effective in comparableproblems or domains [3].

Automotive software engineering,while welcoming innovation and out-standing functional performances,remains strict in its request for a robustand predictable development cycle. Forthat reason, it is important to place deeplearning in more controlled V-model

perspective to address a lengthy list ofchallenges, such as requirements cri-teria for training, validation and testdata sets, and much more.

The introduction of a more structuredconception of the deep learning life-cycle is instrumental to reach a con-trolled development approach thatcannot be addressed by the mere func-tional benchmarking obtained with vali-dation activities. It is essential to pursueboth fundamental directions: high per-formance at the functional level and ahigh-quality development process.

However, the central role that is playedby data in this context has stimulated theauthors to introduce of a new develop-ment lifecycle model: the W model. Tosupport it, we employ the term ‘pro-gramming by example’ to highlight the

An Integrated Software development Lifecycle

for Intelligent Automotive Software: the W Model

by Fabio Falcini and Giuseppe Lami (ISTI-CNR)

Deep learning is becoming crucial to the development of automotive software for applications such as

autonomous driving. The authors have devised a framework that supports a robust, disciplined

development lifecycle for such software, and a comprehensive integration with traditional automotive

software engineering.

Figure�1:�DNN�development�workflow.

Figure�2:�The�W-model�for�deep�learning.

Figure�3:�The�W-model�in�Automotive�SPICE�3.0�perspective.

importance of data in developing sys-tems based on deep-learning technology.

The deep learning W-model is a frame-work lifecycle that conceptually inte-grates a V model for data developmentin the standard V perspective (Figure 2).

This lifecycle model acknowledges thatboth software development and datadevelopment drive deep learning. Thedesign and creation of training, valida-tion and test datasets, together with theirexploitation, are crucial developmentphases because the DNN’s functionalbehaviour is the combined result of itsarchitectural structure and its automaticadaptation through training. By defini-tion, deep learning moves away fromfeature engineering. This aspect makes

the W model an appropriate, useful rep-resentation of this sophisticated para-digm.

By placing the software part of the V-model of ASPICE 3.0 on top of thecoined W-model, the following diagramhints at the integration of deep learningalong the process requirements of theAutomotive SPICE model (Figure 3).The same approach may apply for ISO26262.

As deep learning ushers in radicalchanges to automotive software devel-opment (characterised by stringentrequirements in terms of rigor, controland compliance with standards), the Wmodel is a promising basis for the com-prehensive integration of deep learning

with traditional automotive softwareengineering.

References:

[1] S. Haykin: “Neural Networks andLearning Machines”, Prentice-Hall,2009.[2] F. Falcini, G. Lami: “DeepLearning in Automotive Software”,IEEE Software Vol. 34 No. 3, May-June 2017.[3] J. Schmidhuber: “Deep learning inneural networks: An overview”, NeuralNetworks Vol 61, 85-117, Jan 2015.

Please contact:

Giuseppe Lami, Fabio FalciniISTI-CNR, [email protected]@isti.cnr.it



The demand for reliable Vehicular-to-vehicular (V2V) communicationincreases on a daily basis [1]. V2V com-munication, as part of a Vehicular Adhoc Network (VANET), offers advan-tages for safety (e.g., automatic brakingsystem and traffic accident information)and non-safety applications (e.g., busi-ness and entertainment). V2V communi-cation becomes interesting due to itsflexibility to connect to other partici-pating vehicles without any Road SideUnit (RSU) infrastructure. Additionally,V2V is a promising approach to extendthe scalability issue due to high mobilitybehaviour and complex city environ-ments.

Because of the high mobility behaviourof V2V, frequent disconnection of com-munication occurs due to overpasses,tunnels, and other obstructions leadingto unstable routing issues for transmittedpackets. Evaluating this unstable routingcan be done by investigating short life-

time connections, low packet deliveryratio (PDR), and end-to-end (e2e)delays that are all highly influenced bythe road topology. Therefore, the roadtopology impacts connection and re-connection establishment between vehi-cles. The road topology in a two-dimen-sional scenario, i.e., a road with inter-sections, and in a three-dimensionalscenario, i.e., a road with overpasses,requires special calculations.

Vehicular-to-Vehicular Urban Network

Existing urban environments challengethe connectivity for V2V. Overcomingthis challenge, the developed Vehicle-to-Vehicle Urban Network (V2VUNet)concept offers an optimisation for trans-mission between vehicles by selecting(1) the proper message route and (2) thebest relay candidate in the network.Instead of using a flooding mechanismin route path establishment, the area ofroute request transmission is restrictedby measuring the relative angles [2].

The Horizontal Relative Angle (HRA)is applied when the forwarding mecha-nism occurs in a two-dimensional envi-ronment and the Vertical Relative Angle(VRA) is applied in a three-dimensionalenvironment to restrict the area for pos-sible next relay candidates. This arearestriction algorithm minimises therequired time to build a complete route,which frequently changes, by broad-casting the route request to the closestvehicle (the relay candidate). Figure 1ashows the area restriction algorithms.The resulting number of relay candi-dates is now limited but still the bestone has not been selected. Thus, the pre-dictive forwarding al gorithm shown inFigure 1b is performed. It performs amore precise calculation with additionalweight values θx and θz to select the bestrelay candidate. As an overall result theV2VUNet concept allows the lowestvalue HRA and VRA to be determinedto find the best relay candidate byrestricting the area of candidate

Reliable Vehicular-to-Vehicular Connectivity

by Lisa Kristiana, Corinna Schmitt, and Burkhard Stiller (University of Zurich)

Vehicular-to-vehicular (V2V) communications requires a reliable information interchange system.

However, in a three-dimensional environment, inevitable obstructions (e.g., road topology and

buildings) need to be considered in order to design data forwarding schemes. As one approach,

Vehicle-to-Vehicle Urban Network (V2VUNet) introduces Vertical Relative Angle (VRA) as one of the

significant factors in the case of a three-dimensional environment. VRA locates a participating

vehicle’s coordinates more precisely, when its position cannot be calculated based only on distance.

Therefore, the increased location precision leads to several forwarding algorithms (e.g., prediction

mobility and transmission area efficiency), which are expected to overcome frequent topology

changes and re-routing.


searching and by maintaining the direc-tion homogeneity assuming a scenarioas shown in Figure 1c.

Conclusions

The V2VUNet concept supports twoalgorithms for link path stability andsuccessful transmission, namely arearestriction and predictive forwarding,including HRA or VRA as the weightvalues implemented in the forwardingdecision. The goal of the proposed con-cept is to locate the best next relay can-didate in the network to forward themessage.

V2VUNet was implemented in two- andthree-dimensional environments withobstructions. The HRA and VRA areintroduced to distinguish the ‘real’ trans-mission distance between two vehicleson different road levels. The area restric-tion and predictive forwarding algo-rithms emphasize the height of the roadtopology and direction homogeneity.Current evaluation showed V2VUNetovercomes the frequent disconnectionand three-dimensional road topology

issues and improves the transmissionratio by around 25% compared to thegeneral V2V transmission rate that isless than 50% [3].

Future work foresees investigations fordata dissemination for variable datarates and higher data size. The variabledata rate will be tested to evaluate thelink lifetime when the vehicle’s direc-tion is homogeneous, meaning thesender and receiver have the samedriving direction. The higher data sizetransmission will be applied to obtain anon-safety application, since such appli-cation demands a massive data scale. This work was supported in part by theMinistry of Research, Technology andHigher Education of the Republic ofIndonesia.

References:

[1] H. Hartenstein, K. Laberteaux(Eds.): “VANET VehicularApplications and Inter-NetworkingTechnologies”, Vol. 1, John Wiley& Sons, ISBN: 978-0-470-74056-9.

[2] L. Kristiana, C. Schmitt, B. Stiller:“V2VUNet – A Filtering Out ConceptFor Packet Forwarding Decision inThree-dimensional Inter VehicularCommunication Scenarios”, IEEE27th Annual International Sympo-sium Personal, Indoor, and MobileRadio Communications (PIMRC),pp 1-6, 2016, .

[3] L. Kristiana, C. Schmitt, B. Stiller:“Evaluation of Inter-vehicleConnectivity in Three-dimensionalCases”, IEEE Wireless Days,March 2017, pp 1-4.

Please contact:

Lisa Kristiana, Corinna Schmitt,Burkhard StillerUniversität Zürich, Switzerland+41 44 635 -7586/ -7585/ -6710 [email protected],[email protected], [email protected]

Figure�1:�V2VUNet�concept�[2].

Although we have been driving cars formore than a century, human errorremains the primary cause of accidents.One way of solving this problem is toautomate the task of driving. This can bedone on five levels, as specified in SAE-J3016. At level 1, the vehicle automatesthe longitudinal or the lateral motion,whereas the driver is always required topay attention. Level 2 has similar char-acteristics, except that both longitudinaland lateral motion are automated. Withlevel 3, the automation system will mon-itor the environment and warn the driverin case of danger, but the driver is usedas fall-back. Beyond level 3, the systemperforms fall-back functionality.

The question is how to maintain thedriver at a sufficient awareness level toperform the required monitoring andfall-back task at lower automationlevels: level 3, in particular, might give afalse sense of safety. Consequently, level3 automation should only be done withina closed perimeter, designed exclusivelyfor automated driving and careful driverinstruction.

An example of a commercially availablesystem functioning at level 1 is adaptive

cruise control (ACC). We show that thissystem has only limited performancewhen encountering busy traffic [1]because large errors of the desired dis-tance might occur. By incorporatingwireless communication, referred to ascooperative adaptive cruise control(CACC), this issue can be solved.Vehicles equipped with CACC (shownin figure) communicate desired acceler-ation, in contrast to ACC, which onlyuses the relative position and velocity.In an ideal situation, with no communi-cation delay and identical vehicles, thefeedback system of the ACC-controlleris now obsolete. As such, CACC is atypical example of cooperative automa-tion, characterised by relying on infor-mation obtained via wireless communi-cation.

The assumption that in a perfect worldno additional information is requiredvanishes when considering lateral coop-erative manoeuvring. To visualise this,consider a vehicle that is moving on aplane, giving it a longitudinal, lateraland yaw degree-of-freedom. For it tomove in a lateral direction, it shouldhave a longitudinal velocity and yaw-rate, indicating the coupled and non-

linear dynamics and the resulting con-trol problem. As long as the vehicle ismoving, we show that input-output lin-earization by state-feedback decouplesthese dynamics. Consequently, avehicle-following controller is devel-oped by using PD-control [2]. Thisgives rise to a particular problem:corner cutting. In case of lateral vehicleautomation, it may cause the followervehicle to leave its lane. Thus, thevehicle can no longer rely solely on theinformation received from the pre-ceding vehicle, but it needs to have self-awareness about its position and sur-roundings. This bridges the gapbetween cooperative and autonomousvehicles [3].

The analysis above shows that for com-bined longitudinal and lateral CACC,the vehicle needs to be aware of its ownlocation with respect to infrastructure asthe default controller promotes cornercutting. To this end, on board sensorssuch as radar, scanning lasers or cam-eras are employed.

In conclusion it is worth asking whetherwe can design a successful automatedvehicle without communication.



Why is Autonomous Localisation Required

in Lateral Cooperative Control?

by Tom van der Sande (Eindhoven University of Technology), Jeroen Ploeg (TNO) and Henk Nijmeijer

(Eindhoven University of Technology)

What is the link between cooperative automated vehicles and autonomous vehicles? At the

Eindhoven University of Technology, we recently started the i-CAVE (integrated cooperative

automated vehicles, STW14893) project, focusing on the development of dual-mode operation of

cooperative automated and autonomous vehicles, which will provide an answer to this question.

Here we discuss the state of the art of cooperative automated and autonomous vehicles using the

guidelines as provided by the Society of Automotive Engineers (SAE) and show that contemporary

systems are far from being fully autonomous.

di di‒1

vi+1

di+1i+1

vi vi‒1

wirelesscommunication

radar

i–1i

Figure�1:��A�homogeneous�vehicle�platoon.�Our�research�shows�that�contemporary�systems�are�still�far�from�being�fully�autonomous,�as�they�will

benefit�from�information�that�can�only�be�obtained�through�communication.�Picture:�J.PLoeg�[1].

Obviously full autonomy must be a fall-back mechanism of automation in com-bination with communication, howeverto be successful as an individualvehicle, do we need to know more aboutour environment than our on board sen-sors tell us? Classical control theoryteaches us there is a large benefit inusing information in the control systemthat can only be obtained through com-munication.

Link:

www.stw.nl/nl/content/p14-18-i-cave-integrated-cooperative-automated-vehicle

References:

[1] J. Ploeg, N. van de Wouw, H.Nijmeijer: “Lp string stability ofcascaded systems: Application tovehicle platooning”, IEEETransactions on Control SystemsTechnology.

[2] A. Bayuwindra, Ø. Aakre, J. Ploeg,H. Nijmeijer: “Combined lateraland longitudinal CACC for aunicycle-type platoon”, 2016 IEEEIntelligent Vehicles Symposium (IV).

[3] T. van der Sande, H. Nijmeijer:“From cooperative to autonomousvehicles”: Springer LNCS, 2017.DOI: 10.1007/978-3-319-55372-6

Please contact:

Tom van der SandeTU/e, The [email protected]


The sixty year old research field oft raff ic control has recent ly beenaddressing the ultra-modern subject ofautonomous vehicle control. The maingoal of traffic control is to optimisetraffic management with respect to anumber of variables, including con-gestion, emissions, travel time reduc-tion and safety. To this end, AdaptiveCruise Control (ACC) systems wereenvisioned. Once introduced, thesetools need to conform to normaltraffic dynamics, consequently theywil l need to resemble a humandriver’s behaviour.

Properties of hybrid systems, whichencompass both continuous and dis-crete time dynamics evolution, allowfor implementation of the complexmodelling of the human way of driving.Our approach considers a number ofcontrol laws, one for each different situ-ation, and embeds them in a uniquemodel obtaining a mesoscopic hybridmodel, i.e., a microscopic hybrid modelthat takes into account macroscopicparameters [1]. Indeed, environmentalinformation is used to better representhuman characteristics, defining a modelcloser to reality. The macroscopic infor-

mation can either be provided by a cen-tralised traffic supervisor, or it can begathered, elaborated and transmitted bythe vehicles themselves, when they areconnected and can exchange informa-tion.

The resulting ACC system processesinformation about other vehicles andtakes decisions about braking or throttleactions on the basis of a human-inspiredmodel, with the purpose of safely con-trolling single vehicle dynamics in rela-tion to a car in front. The frameworkconsidered in [1] is deterministic, and

Safe Human-Inspired Adaptive Cruise Control

for Autonomous Vehicles

by Alessio Iovine, Elena De Santis, Maria Domenica Di Benedetto (University of L’Aquila) and Rafael

Wisniewski (Aalborg University)

The safety issues associated with autonomous vehicles necessitate more robust and reliable

solutions for Adaptive Cruise Control (ACC). A human-inspired hybrid model with the design goal of

replacing and imitating the behaviour of a human driver is being developed, ensuring an appropriate

safety level while respecting comfort.

Figure�1:�The�interaction�zone�split�in�different�regions. Figure�2:�The�possible�discrete�transitions�resulting�in�the

considered�hybrid�system.

http://www.stw.nl/nl/content/p14-18-i-cave-integrated-cooperative-automated-vehicle

the next step is to consider stochasticprocesses, giving a definition of safetywith respect to a probability measure,and using new techniques producingbarrier functions for a risk acceptanceprobability [2]. The objective is todefine the minimum distance betweentwo vehicles which allows collisionavoidance with a given desired proba-bility. The barrier functions calculatedin [1] will then change, while the hybridsystem structure imitating the humandriver is preserved.

Our research is also investigating bio-inspired robots, with the aim of imi-tating and reproducing the naturalbehaviour of a living being. This allowsus to include a human driver in the con-trol loop, reproducing the adaptabilityto various conditions and comfort,while maintaining the full controlla-bility of the system and avoiding humanweaknesses, such as mistakes or dis-tractions.

The first purpose of the model is to pro-vide information to the human driverabout which risk level applies to a givensituation, which will enable the driver toselect the appropriate balance between

safety and performance. Theautonomous vehicle will reactaccording to the chosen setup.

The model has a range of potentialapplications. First, it makes it pos-sible to fix a probability safety min-imum range that should be respectedby autonomous vehicles; this wouldlead to improvements both from asingle vehicle point of view and fortraffic flow (in fact, the presence of asingle dangerous vehicle on the roadhas a negative impact on the entireflow). Furthermore, the consideredmodel could reduce legal disputesbetween owners of autonomous vehi-cles and the car manufacturingindustry: vehicles could have a com-pletely safe setting as default with theoption for the owner to modify it. Inthe case of an accident, the responsi-bility is in the hands of the driver whochose the risk level. It must be notedthat in a competitive world whereautonomous vehicle sales may dependin part on their potential to engage intruly dangerous situations, it is essen-tial to set a minimum legal safetyrange to avoid a race among vehiclemanufacturers.

Link:

http://safecop.deib.polimi.it/

References:

[1] A. Iovine, et al.: “Safe human-inspired mesoscopic hybridautomaton for autonomousvehicles”, Nonlinear Analysis:Hybrid Systems, http://dx.doi.org/10.1016/j.nahs.2016.08.008

[2] C. Sloth, R. Wisniewski: “SafetyAnalysis of Stochastic DynamicalSystems”, IFAC-PapersOnLine,Volume 48, Issue 27, 2015, Pages62-67, ISSN 2405-8963,http://dx.doi.org/10.1016/j.ifacol.2015.11.153

Please contact:

Alessio Iovine, Elena De Santis, MariaDomenica Di BenedettoCenter of Excellence DEWS,University of L’Aquila, [email protected],[email protected],[email protected]

Rafael Wisniewski Aalborg University, [email protected]



Autonomous vehicles are now a reality,and several cities around the globe haveseen their development in differentshapes and contexts. A question is howthese vehicles will interact with otherroad users in daily traffic, especiallywith vulnerable road users such aspedestrians and cyclists? [1]. Accordingto the World Health Organisation,approximately 325,000 pedestrians andcyclists were killed in traffic worldwidein 2015, making safety of this group ofroad users a priority. Vehicle automationis expected to reduce such fatalities inthe future.

As vehicles start driving on their ownand drivers become riders who can doother things in the vehicle, new types of

interactions are likely to emerge that areunrelated to the driving task. Thus,driver behaviour is no longer neces-sarily representing the actions of thevehicle by, for example, eye contact andgestures. A series of studies conductedby RISE Viktoria, RISE Interactive,Autoliv, Volvo Cars, Volvo Group andScania show that pedestrians experi-ence discomfort and confusion and feelunsafe when they encounter vehiclesnot having an active driver behind thesteering wheel [2]. To compensate forthe missing signals in driver behaviour,it was also found that pedestrians mayrequire supporting information aboutthe status of autonomous vehicles,including current operation mode(manual vs. autonomous) and imminent

behaviour (e.g., ‘about to start’, ‘aboutto stop’ and ‘resting’).

Based on these findings, we havedesigned an example interface conceptnamed AVIP [L1] to illustrate a poten-tial universal, visual communicationinterface for autonomous vehicles. TheAVIP interface consists of an outward-facing LED light strip affixed to the topof the vehicle wind shield that uses dis-tinct patterns of light to communicatethe vehicle’s status and intent to pedes-trians [3]. In simple terms, it could bedescribed as a type of “smart” frontalbrake light that informs surroundingroad users about what the autonomousvehicle is about to do, without explicitlytelling the road users what they should

Hello Human, can you read my mind?

by Jonas Andersson, Azra Habibovic, Maria Klingegård, Cristofer Englund and Victor Malmsten-Lundgren

(RISE Viktoria)

For safety reasons, autonomous vehicles should communicate their intent rather than explicitly invite

people to act. At RISE Viktoria in Sweden, we believe this simple design principle will impact how

autonomous vehicles are experienced in the future.

dx.doi.org/10.1016/j.nahs.2016.08.008

dx.doi.org/10.1016/j.ifacol.2015.11.153


do and when. This is different to otherinterface concepts suggested by otherplayers in the area, where the vehicleexplicitly invites you to go ahead, forexample with a text message, a pictureor a projected zebra crossing.

We believe that inviting other road usersto act may create false expectations ofthe surrounding traffic that the

autonomous vehicles cannot necessarilyaccount for. Instead, a design principlebased on communicating intent ratherthan explicitly inviting people to actcould avoid ambiguities due to a mis-match between the vehicle’s invitationand the surrounding traffic. Regardlessof what the communication interfacelooks like, we suggest that this designprinciple should be widely adopted, if

not standardised, as autonomousvehicle technology matures.

Link:

[L1] www.viktoria.se/projects/avip-automated-vehicle-interaction-principles

References:

[1] M. Nilsson, T. Ziemke, S. Thill:“Action and intention recognition inhuman interaction with autonomousvehicles”, in “ExperiencingAutonomous Vehicles: Crossing theBoundaries between a Drive and aRide” workshop in conjunction withCHI2015 (2015).

[2] V. M. Lundgren, et al.: "Will ThereBe New Communication NeedsWhen Introducing AutomatedVehicles to the Urban Context?”,Advances in Human Aspects ofTransportation, Springer, 485-497,2017.

Please contact:

Jonas AnderssonRISE Viktoria, Research Institutes ofSweden+46 (0)73 925 80 [email protected]

Figure�1:�The�AVIP�concept.�The�changing�LED�light�communicates�the�intention

of�an�autonomous�vehicle.

Mobility is a key dimension of our dailylives both for work and personal duties.Ensuring safe, rapid, predictable andaffordable transportation is quite chal-lenging because our transportation net-works are under high load, especially atpeak hours. The level of performancethat can be achieved is often limited bythe human driver; the inherent con-straints being reaction time (resulting intriggering jams), reliability (90% of caraccidents are a result of human error)and also economic cost. Airlines,railway and car manufacturers have con-sequently worked to assist the driver byreducing the driver’s work and are even

considering the ultimate goal of goingdriverless.

Different levels of automation havebeen defined in each transportationdomain. Table 1 gives a comparativeoverview of those levels with relatedautomation features and the respectivesplit of responsibility between thesystem and human driver/pilot. Theautomotive SAE classification [url1]was used as reference framework toalign railway grades of operation (GoA)[url2] and aircraft levels of automation[url3]. The lowest level is fully manualdriving, although even this level gener-

ally includes some safety protectionsystems. Vehicles in the next level upprovide assistance in specific or time-bounded tasks. While cars are currentlyonly reaching partial automation, rail-ways and airplanes have alreadyachieved much higher levels, e.g., fullyautonomous metro lines.

The automotive industry is now consid-ering the critical transition to a levelwhere the car is able to drive itself sothe driver has no need to steer, brake,accelerate or watch the road. However,as the system cannot cope with all situa-tions, the driver must be ready to

Cross-domain fertilisation in the Evolution

towards Autonomous Vehicles

by Christophe Ponsard, Philippe Massonet and Gautier Dallons (CETIC)

There is a strong move towards assisting the driver, and even relieving the driver from driving duties,

in various modes of transportation, including autonomous car, train and aircraft operation.

Successive levels of automation are progressively shifting responsibility from the driver to the

vehicle. We present a brief comparative analysis of automation levels in the automotive, railway and

aeronautic domains with a focus on how to keep the human in the loop both at design and run-time.

https://www.viktoria.se/projects/avip-automated-vehicle-interaction-principles

resume operation when instructed. Thisis quite challenging because severalobstacles have to be carefully addressed[1]. Our work on this topic relies onrequirements engineering techniques[2], based both on characteristics fromthe human driver and on the transposi-tion of known problems in otherdomains. Some interesting issues toaddress are the following:

• Situation awareness: the systemneeds to make sure the driver has acorrect mental picture of the environ-ment when handing back control.This is more difficult to achieve whendriver focus has switched to non-driving duties.

• Human reaction abilities: raising thealarm at short notice is dangerousbecause the driver will not be able tofully analyse the situation or even gointo panic. The system needs to antic-ipate known events (e.g., motorwayexit in five kilometres), pre-crashscenarios (e.g., suspicious car behav-iour ahead) and also report aboutdegradation of its performance (e.g.,due to weather or road conditions).This also enables the driver toincrease their situation awareness asrequired.

• Warning annoyance: driver trust inthe system can rapidly decrease if thesystem sounds alarms at inappropri-ate times or generates too manywarnings.

• Task inversion: the driver mightswitch to a mode where his focus isonly on monitoring alarms and notpaying attention to the real world sit-uation.

Based on such an analysis, specificstrategies can be designed and experi-mented. The whole system should notbe seen as static but rather an evolvingcooperation between the driver and thevehicle with learning occurring on bothsides. In this regard, machine learningtechniques can play an important rolefor making sure the driver and thesystem are operating optimally together[3]. With the advent of connected car,this driving experience (especiallyproblematic scenarios) will easily bereported, analysed and enhanced. Ourfuture work will focus more specificallyon the railway domain in the context ofINOGRAMS project objectives relatedto automated train operation, especiallyfor high efficiency [4].

Links:

[L1] www.sae.org/misc/pdfs/automated_driving.pdf

[L2] tiny.cc/uitp-goa [L3] tiny.cc/nbaa-flight-automation [L4] www.cetic.be/INOGRAMS-2104

References:

[1] S. M. Casner, et al.: “TheChallenges of Partially AutomatedDriving”, Communications of theACM, 59(5):70-77, 2016

[2] A. van Lamsweerde: “RequirementsEngineering: From System Goalsto UML Models to SoftwareSpecifications”, Wiley, 2009.

[3] P. Koopman, M. Wagner:“Challenges in AutonomousVehicle Testing and Validation”,SAE Int. J. Trans. Safety 4(1):15-24, 2016.

Please contact:

Christophe PonsardCETIC, Belgium+32 472 56 90 [email protected]



Table�1:�Comparison�of�automation�levels�in�automotive,�railways�and�aeronautics.

http://www.sae.org/misc/pdfs/automated_driving.pdf

tiny.cc/uitp-goa

tiny.cc/nbaa-flight-automation


Self-driving technologies haveimproved to the point that major indus-trial players are now investing in, devel-oping and testing self-driving vehicles invarious countries. It is touted that fleetsof self-driving vehicles will be opera-tional within five years. Besides eco-nomic reasons, a major incentive behindself-driving vehicles is safety. Roadtraffic deaths across the world reached1.25 million in 2015 and since the driveris responsible for most crashes, it seemsnatural to strive to design self-drivingvehicles. Obviously, an autonomousvehicle is safe if it avoids collision.Now, collisions happen for different rea-sons: hardware or software failures, per-ceptual errors that result in an incorrectunderstanding of the situation (in May2016, a self-driving vehicle crashedkilling its driver because its camerafailed to recognise a white truck againsta bright sky), and reasoning errors, i.e., awrong decision is made (in February2016, a self-driving vehicle was for thefirst time responsible for a crash becauseof a wrong decision). Our researchfocuses on reasoning errors. At a funda-mental level, a collision will happen assoon as a vehicle reaches an inevitablecollision state (ICS), i.e., a state forwhich, no matter what the vehicle does,a collision will eventually occur [1].

The insights on collision avoidanceresulting from our investigation of the

ICS concept are expressed succinctly bythe following quote: ‘One has a limitedtime only to make a motion decision,one has to globally reason about thefuture evolution of the environment anddo so over an appropriate time horizon.’

As abstract and general as this quotemay seem, it implicitly contains motionsafety laws whose violation is likely tocause a collision [2]. ICS were initiallyinvestigated with the aim of designingmotion strategies for which collisionavoidance could be formally guaran-teed. Assuming the availability of anaccurate model of the future up to theappropriate time horizon, we were ableto design motion strategies with guaran-teed absolute motion safety i.e., no col-lision ever takes place.

In the real world, things are not so rosysince accurate information about thefuture evolution of the environment isnot available. The choice then isbetween conservative or probabilisticmodels of the future. In conservativemodels, each obstacle is assigned itsreachable set, i.e., the set of positions itcan potentially occupy in the future.Conservative models solve the problemof the discrepancy between the pre-dicted future and the actual future. Intheory, they could allow for guaranteedmotion safety. In practice however, thegrowth of the reachable sets as time

passes by is such that every positionbecomes potentially occupied by anobstacle and it is then impossible to finda safe solution. In probabilistic models,the position of an obstacle at any giventime is represented by an occupancyprobability density function. Suchmodels are well suited to represent theuncertainty that prevails in the realworld. However, as sound as the proba-bilistic framework is, it cannot providemotion safety guarantees that can beestablished formally, minimising thecollision risk is the only thing that canbe done then. Today, most, if not all,self-driving vehicles rely upon proba-bilistic modelling and reasoning todrive themselves. The current paradigmis to test self-driving vehicles in vivoand, should a problem occur, to patchthe self-driving system accordingly. Inan effort to improve the situation and toprovide provable motion safety guaran-tees, we would like to advocate an alter-native approach that can be summarisedby the following motto: “Better guar-antee less than guarantee nothing.”

The idea is to settle for levels of motionsafety that are weaker than absolutemotion safety but that can be guaran-teed. One example of such a weakerlevel of motion safety guarantees that, ifa collision must take place, the self-driving vehicle will be at rest. Thismotion safety level has been dubbed

Will the driver Seat Ever be Empty?

by Thierry Fraichard (Inria)

Self-driving vehicles are here and they already cause accidents. Now, should road safety be

considered in a trial and error perspective or should it be addressed in a formal way? The

latter option is at the heart of our research.

Figure�1:�A�self-driving�vehicle�among�fixed�and�moving�obstacles�(left);�2D�slice�of�the�5D�state�space�of�the�self-driving�vehicle,

the�black�areas�are�the�corresponding�inevitable�collision�states�that�must�be�avoided�(right).

passive motion safety and it has beenused in several autonomous vehicles.Passive motion safety is interesting fortwo reasons: (i) it allows provision of atleast one form of motion safety guar-antee in challenging scenarios (limitedfield-of-view for the robot, completelack of knowledge about the futurebehaviour of the moving obstacles [3]),and (ii) if every moving obstacle in theenvironment enforces it then no colli-sion will take place at all.

We are currently exploring moresophisticated levels of motion safety.We are also studying the relationshipbetween the perceptual capabilities of

the self-driving vehicles and the levelsof motion safety that can be achieved.The long-term goal of our research is toinvestigate if and how current self-driving technologies can be improved tothe point that the human driver cansafely be removed from the driving loopaltogether, paving the way to truly self-driving vehicles whose motion safetycan be formally characterised and guar-anteed.

References:

[1] T. Fraichard, H. Asama: “Inevitablecollision states. a step towardssafer robots?”, Advanced Robotics,vol. 18, no. 10, 2004.

[2] T. Fraichard: “Will the driver seatever be empty?” INRIA, ResearchReport RR-8493, Mar. 2014.[Online]. http://hal.inria.fr/hal-00965176

[3] S. Bouraine, T. Fraichard, H. Salhi:“Provably safe navigation formobile robots with limited field-of-views in dynamic environments,"Autonomous Robots, vol. 32, no. 3,Apr. 2012.

Please contact:

Thierry FraichardInria Grenoble Rhône-Alpes, [email protected]



In our latest research activity, a tractor(type Steyr 6230 CVT) was provided bythe Austrian Armed Forces for the pur-pose of automating agricultural tasks onspecial areas. In a first step, this mobilemachine was prepared in close coopera-tion with the manufacturer CNH Austriato serve as a mobile research platform.An electrical single-point interface pro-vides access to the various functions ofthe tractor via actuators and the CANbus system, which enables a set of addi-tional computers and dedicated softwareto take over control. The vehicle isequipped with a multi-modal sensorsystem combining stereo vision, laserscanning, RTK-GPS and IMU to addressdifficult and varying outdoor conditions.A dedicated AIT stereo vision systemmounted behind the windshield at thefront and another on the rear of thevehicle provide dense 3D data of thetractor’s environment (Figure 1).

An important step to further increaseefficiency in farming is to develop com-pletely driverless machines which

would, for example, enable one oper-ator to monitor and control multiplemachines at once. Thus, AIT investi-gates important computer vision basedtechnologies and methods that improvethe abilities of future autonomous vehi-cles and machines for agricultural appli-cations. Furthermore, research is drivenby a specific use-case defined by theAustrian Armed Forces: cultivation(e.g., mulching, mowing) of firebreakson military training areas endangeredby explosive ordnances. The tech-nology developed by AIT allows theoperator to safely monitor and controlthe semiautonomous machine from asafe distance with a high level of situa-tional awareness.

The sensed 3D data of the stereo camerasystems [1] and the laser scanner is con-tinuously fused into an ‘elevation map’– a 2.5D representation of the terrain.As the vehicle moves, the reconstruc-tion of the vehicle’s surroundingsbecomes more and more complete. Anessential task is estimating the ego-

motion and the pose of the vehicle. Thetrajectories of the stereo visual odome-tries, the orientation of the inertialmeasurement unit and the position ofthe RTK-GPS are fused with anextended Kalman filter. The filtermodels the kinematics of the vehicleand computes a precise estimate of thepose [2]. Furthermore, the geometry ofthe elevation map is analysed in order toobtain a traversability map, whichdenotes drivable and non-drivable areasas well as obstacles around the vehicle.The map is organised using a tile basedapproach, which allows storing, loadingand updating large scale maps. In thatway the georeferenced mapped areascan also be accessed via a geographicinformation system.

The real-time traversability map is usedby the path planning module to calcu-late a collision free trajectory along apredefined mission path. Dynamicallyappearing obstacles are avoided by cal-culating a local bypass route using asampling-based motion planning algo-

Intelligent Environmental Perception for Navigation

and operation of Autonomous Mobile Machines

by Robert Rößler, Thomas Kadiofsky, Wolfgang Pointner, Martin Humenberger and Christian Zinner (AIT)

Research at AIT on autonomous land vehicles is focusing on transport systems and mobile machines which

operate in unstructured and heavily cluttered environments such as off-road areas. In such environments,

conventional technologies used in the field of advanced driver assistance systems (ADAS) and highly

automated cars show severe limitations in their applicability. Therefore, more general approaches for

environmental perception have to be found to provide adequate information for planning and decision

making. As a special challenge, our focus is on vehicles that actively change their environment, e.g., by

cutting high plants or manipulating piles of pellet materials. To operate such machines autonomously, novel

approaches for autonomous motion planning are required.


rithm [3]. If rerouting is not successful,the vehicle stops safely. A pilot modulegenerates drive commands based uponthe relative position of the tractor to theplanned path. These commands are exe-cuted by the interface module control-ling the tractor actuators.

The information collected by thevehicle including camera streams, thevehicle’s trajectory, the computed mapdata, etc. is transmitted to a base station,where the operator can access it througha graphical user interface. Choosingbetween different visualisation modesallows for better evaluation of complex

situations. The possibilities to overlaysatellite images with live map data and3D reconstruction of the vehicle’s envi-ronment increase the situational aware-ness of the operator and ensure efficientand safe handling (Figure 2).

Vehicle tasks are planned within thegraphical user interface on the basis ofsatellite images and sensor data. Forinteraction and control of the system,common user-friendly input deviceslike a mouse and a game controller areused. The vehicle supports differentmodes of operation, which representdifferent levels of autonomy:

• manual teleoperation• a semi-autonomous mode called

‘Click&Drive’• following a planned path fully

autonomous.

In ‘Click&Drive’ mode the next way-point can be set directly or specialmanoeuvres such as Y-turns can be trig-gered by the operator. The vehicle exe-cutes these commands using itsautonomous capabilities of path plan-ning and collision avoidance.

With the developed system, AIT is ableto address a real safety problem (culti-vating areas endangered by explosiveordnances) which currently lacksappropriate solutions within the avail-able off-the-shelf technologies, thusshowing the potential of autonomoussystems that will be operating in thenear future. Simultaneously, research onhuman machine interaction and envi-ronmental perception and segmentationfor machines that are changing theirenvironment during operation ispressed ahead.

Link:

http://www.ait.ac.at/themen/3d-vision/autonomous-land-vehicles/

References:

[1] M. Humenberger et al.: “A faststereo matching algorithm suitable forembedded real-time systems”, J.CVIU,114 (2010), 11.[2] S. Thrun et al., “ProbabilisticRobotics”. MIT Press, Cambridge2005, ISBN 9780262201629. [3] S. Karaman, E. Frazzoli:“Sampling-based Algorithms forOptimal Motion Planning”, IJRR, 30(2011), 7.

Please contact:

Robert Rößler, Thomas Kadiofsky,Wolfgang Pointner, MartinHumenberger, Christian ZinnerAIT Austrian Institute of TechnologyGmbH, AustriaE-mail: {robert.roessler,thomas.kadiofsky, wolfgang.pointner,martin.humenberger,christian.zinner}@ait.ac.at

Figure�1:�Top�left:�research�platform�Steyr�6230�CVT,�Top�right:�additional�computers�running

dedicated�software�(3x�Intel�i7�Ivy�Bridge),�Bottom:�windshield�mounted�AIT�stereo�camera

system�(light�blue).

Figure�2:�Left:�satellite�image�(Google�Maps)�overlaid�with�real-time�traversability�map;

planned�path�and�waypoints�(red),�vehicle�trajectory�(blue),�Top�right:�3D�reconstruction�of

vehicle�surroundings�coloured�by�traversability�from�blue�(good)�to�red�(bad/obstacle),�Bottom

right:�real-time�path�planning;�planned�path�(red�arrows),�next�planned�vehicle�position�(cyan).

One of the pillars of current industry-related research in Europe is the devel-opment of intelligent transport systems,which can ease the safe movement ofpeople and goods by means of smartcomputer platforms that require limitedhuman support. In near future, fleets ofautonomous vehicles will need to besupervised and managed. To this end, atISTI-CNR, we have been developing anadvanced automatic train supervision(ATS) system that is able to dispatchtrains in a railway layout, while avoidinggridlocks [1]. A gridlock is a localiseddeadlock in which vehicles mutuallyblock each other in a specific region,while other vehicles are still free tomove. While safety is ensured by inter-locking systems, efficient dispatching iscurrently performed by humans, and theTRACE-IT project lays a possible basisfor automating this task.

Model-checking technology underpinsour approach, which is composed of twomain phases: a configuration phase andan actual dispatching phase. In the firstphase, model checking is used to identifya set of constraints that the ATS shouldconsider when dispatching the trains toavoid gridlocks. To identify these con-straints, the model-checking algorithminitially takes as input a formal modelthat includes the railway layout, and theplanned missions of the train. Then, itexplores all the possible sequences ofmovements of the trains, and identifiespotential gridlocks. For each gridlockfound, the algorithm produces the criticalregions of the layout in which the grid-lock might occur, and the maximum

number of trains allowed in each regionthat guarantees the absence of gridlock.These are the constraints that are usedby the ATS during the actual dispatchingphase. In this phase, before allowing atrain to enter one of the constrained crit-ical regions, the ATS checks that themaximum number of trains allowed inthat region is not exceeded. When novelmissions or vehicles enter into play, areconfiguration cycle is performedthrough model checking, following thefirst phase. Hence, new regions andnumerical constraints are produced forconsideration by the ATS.

In TRACE-IT, the approach was experi-mented on a realistic layout for metrosystems provided by ECM S.p.A., andreported in Figure 1. The figure depictsthe physical layout in black solid lines,and the missions of eight trains incoloured lines. Within TRACE-IT, con-figuration and reconfiguration wereperformed offline by means of the gen-eral-purpose model checker UMC,belonging to the KandISTI family [2].We have also experimented the imple-mentation of a dynamic reconfigurationprocess, by developing a special-pur-pose model checker – integrated withinthe ATS – which focusses on the verifi-cation of these particular properties forthis particular class of models.

This gridlock avoidance approach canbe adapted to any kind of vehiclemoving along pre-defined paths – eitherphysical or virtual – that should satisfysafety distance requirements. The fleetsof autonomous vehicles that can be

managed with this approach range fromcars to trucks, and from drones toswarms of robots. Of course, when thelayout of movements is particularlylarge, it may become necessary todecompose it into smaller fragments toavoid exponential state-space explosionduring the analysis [3].

This work was carried out within thePAR FAS 2007-2013 TRACE-ITProject, funded by the Tuscan Region,and involving the University ofFlorence, and railway signalling manu-facturer ECM S.p.A.

Link:

http://fmt.isti.cnr.it/umc

References:

[1] F. Mazzanti, G.O. Spagnolo, S. DellaLonga, A. Ferrari: "Deadlockavoidance in train scheduling: Amodel checking approach". FMICS2014, LNCS Vol. 8718, Springer,2014, 109-123.

[2] M.H. ter Beek, S. Gnesi, F.Mazzanti: "From EU projects to afamily of model checkers".Software, Services, and Systems,LNCS Vol. 8950, Springer, 2015,pp. 312-328.

[3] A. Ferrari, G. Magnani, D. Grasso,A. Fantechi: "Model checkinginterlocking control tables".FORMS/FORMAT 2010. Springer,2011, pp. 107-115.

Please contact:

Franco Mazzanti, ISTI-CNR, [email protected]



Avoiding Gridlocks in the Centralised

dispatching of a fleet of Autonomous Vehicles

by Franco Mazzanti, Alessio Ferrari and Giorgio O. Spagnolo (ISTI-CNR)

Autonomous vehicles will become pervasive in the near future. The TRACE-IT project is investigating

how gridlocks may be avoided.

Vicolo Corto

Via AccademiaBCA01I

II

Piazza UniversitàI

II

BCA02 Via VerdiI

II

BCA03Piazza Dante

I

II

IIIBCA05

BCA04

I

II

I I

II

Vicolo Stretto

Via Marco PoloVia Roma

Viale dei Giardini

Parco della Vittoria

I

II

III I

II

III

IVViale Monterosa

5

7

8

10

11

12

15

16

1718

20

22

23

24

25

262728

29

3031

32

139641 3

2

Figure�1:�Metro�layout�for�TRACE-IT�project.


Events and activities in the real world ofphysical objects comprise too large a setof possibilities and contingencies toaccount for or control in any static planor algorithm, meaning that cyber-phys-ical systems simply need to be robustenough to deal with those contingenciesas they come up. Thus, a software agentmust tolerate less-than ideal conditionsand cope with hindrances, while itstretches its resources and capabilities tostill achieve its goals by sub-optimalmeasures. When something goes awry –as it invariably does – the ability to diag-nose what went wrong and why is cru-cial for a system to take corrective orcompensatory actions, and/or try toavoid similar undesirable behaviour inthe future.

Consider a team of crop surveillancedrones, deployed to survey a field andrelay locations of possible signs of dis-ease, drought, flooding, etc. The teammay include flying drones as well asland lobbers. Maintaining an acceptable

altitude, awareness of battery levels,avoiding birds of prey, circumnavi-gating unforeseen obstacles such as soilshifts and slides or weed growth onpaths, are among concerns that suchautonomous agents must handle grace-fully. Engineering best practices callfor isolating such separate concerns intodifferent modules by design, thusallowing for their reuse, as well as theirindependent verification. Of course, thebehaviour of each agent that is com-posed of such modules must satisfy cer-tain crucial properties, such as ‘whenenergy level is low, the drone still man-ages to reach its charging station’.Moreover, we need to establish that acertain team of such agents exhibits col-lective behaviour that satisfies someother set of crucial properties, such as‘every patch of the field gets surveyedwithin a bounded time window’.

Compositional techniques comprise thehallmark of all disciplines of engi-neering: they enable construction of

complex systems by composition ofsimpler components or sub-systems,such that designers can obtain andanalyse the properties of interest of aresulting system through compositionand analysis of the corresponding prop-erties of its constituent parts. To com-positionally model cyber-physical sys-tems, we employ an automata-basedparadigm called Soft ComponentAutomata (SCA) [3]. An SCA is a state-transition system where transitions arelabelled with actions and preferences.The intuition to the preferences is thathigher-preference transitions typicallycontribute more towards the goal; if acomponent is in a state where it wantsthe system to move north, a transitionwith action “north” has a higher prefer-ence than a transition with action“south”. Preferences thus provide a nat-ural fall-back mechanism for the agent:in ideal circumstances, the agent wouldperform only actions with the highestpreferences, but in some circumstances,the agent may be permitted to choose a

diagnosis of deviations in distributed Systems

of Autonomous Agents

by Farhad Arbab (CWI)

Components that comprise the agents, such as drones, in a distributed cyber-physical system may

individually take seemingly reasonable actions, based on their available information Such actions

may collectively lead to an eventual unacceptable system behaviour. How can we identify culpable

components and agents? At CWI we develop formal models for compositional construction and

analysis of such systems, along with tools and techniques to narrow the set of possible components

that contribute to undesirable behaviour.

Figure�1:�surveillance�drone�(source:�Shutterstock).

transition of lower preference. Thebehaviour of an SCA is given by alltransitions whose preference exceeds athreshold. By adjusting the threshold,the designer can include transitions oflower preference, thus obtaining a moreflexible system by virtue of the newlyavailable actions — even though thoseactions contribute less directly towardsthe goal.

Soft component automata constitute ageneralisation of constraint automata[2], one of the many semantics of Reo[1], a language for verifiable coordina-tion of interactions among components.Consequently, our framework possessesthe interesting feature that, like Reo, itblurs the line between computation andcoordination — both are formalised bythe same type of automata, whichallows us to reason about these conceptsin a uniform fashion.

When the collective behaviour of such asystem violates some of its verificationrequirements, it is useful to know notonly the particular scenario that led or

leads to such violation (i.e., a coun-terexample), but also the likely culprits.For instance, if a flying surveillancedrone fails to maintain its target alti-tude, a counter-example can reveal thatthe drone attempted to reach the far sideof the field, ran out of energy and wasrequired to perform an emergencylanding. Many existing LTL-based veri-fication tools are able to provide suchcounterexamples. Taking this idea ofdiagnostics one step further in the con-text of a compositional design, wewould like to be able to identify thecomponent (or components) respon-sible for the first action in the coun-terexample that violated the require-ment. Such an indication may assist thedesigner of a system in finding the com-ponent responsible for a failure (which,in our example, may turn out to be theroute planning component), or, at thevery least, rule out components that arenot directly responsible (such as thewildlife evasion component).

Link:

http://projects.cwi.nl/dedea

References:

[1] F. Arbab: “Puff, The MagicProtocol”, Formal Modeling:Actors, Open Systems, BiologicalSystems 2011, SRI International,Springer LNCS, vol. 7000, pp.169-206.

[2] C. Baier, M. Sirjani, F. Arbab, J.Rutten: “Modeling componentconnectors in Reo by constraintautomata”, Science of ComputerProgramming, 61:75–113, 2006,http://dx.doi.org/10.1016/j.scico.2005.10.008.

[3] T. Kappé, F. Arbab, C. Talcott: “ACompositional Framework forPreference-Aware Agents”, CWITechnical Report FM-1603, 2016,https://repository.cwi.nl/noauth/search/fullrecord.php?publnr=24625.

Please contact:

Farhad Arbab, CWI, The Netherlands [email protected]



The phenomenon of ice accretion onaircraft's surfaces is a critical and wellrecognised problem that affects aviationsafety. The consequences of this phe-nomenon, commonly referred to asicing, include a significant decrease ofthe lift and manoeuvrability of thevehicle and a simultaneous increase indrag, weight and power consumption,which obstruct conducting autonomousoperations in environments with harshweather conditions, e.g., those typicallyencountered in the Arctic region.

Ice protection systems (IPS) have beenproposed as a means of mitigating theeffects of icing. Large aircraft are typi-cally equipped with efficient anti-icingand de-icing devices. However, due to

space and weight limitations, thesedevices are unsuitable for small air-craft and alternative solutions must besought. At NTNU, very promisingresults have been obtained usingcarbon nanotechnology to developthin layers of coating material to bepainted on the surfaces of aircraft.These layers can be heated to melt theice using onboard electricity.However, in order to assure high effi-ciency and limit energy consumption,icing diagnosis schemes are neededfor optimal activation of the icing pro-tection scheme. At the same time, thediagnosis scheme must be able torobustly distinguish icing from actu-ator faults, e.g., loss of efficiency inthe thrust or in the elevator, and toler-

ance against these types of faults mustalso be guaranteed.

A robust fault/icing diagnosis and toler-ance scheme must take into accountchanges in the aircraft's dynamics dueto the variation of the operating point,the presence of uncertainty in the avail-able mathematical model and otherundesired effects, such as exogenousdisturbances, e.g., the wind, and meas-urement noise in the sensors.

The changes in the aircraft's dynamicsdue to the variation of the operatingpoint can be addressed using a linearparameter varying (LPV) method-ology. The LPV paradigm provides anelegant way to apply linear-like tech-

Robust fault and Icing diagnosis

in Small Unmanned Aircrafts

by Damiano Rotondo and Tor Arne Johansen (NTNU)

Small unmanned aircraft working in harsh weather conditions such as those encountered in the

Arctic will suffer from the consequences of icing. In order to assure high efficiency and

autonomous operation, a robust diagnosis scheme that detects both faults and icing is required.

Research at NTNU is focusing on developing these schemes and integrating them with fault

tolerant control techniques.


niques to nonlinear systems, with theo-retical guarantees of stability and per-formance. Unlike linearization tech-niques, LPV methods do not involveany approximation, since they rely onan exact transformation of the originalnonlinear system into a quasi-linearone, by embedding all the original non-linearities within some varying param-eters. As a consequence, it is possibleto develop LPV fault/icing diagnosisschemes, which are consistent with awide range of operating conditions. Tothis end, the research at NTNU isfocusing on two approaches. The firstinvolves using unknown inputobservers (UIOs) [1], i.e., observersthat allow the state of a given system tobe estimated independently of someunknown inputs. UIOs can be madeinsensitive to certain inputs if somestructural conditions on the system arefulfilled, which is a property that canbe exploited in order to achieve a suc-cessful fault/icing diagnosis. Thesecond approach involves multiplemodel adaptive estimators (MMAE)[2], which comprise a collection oflocal observers, each of which pro-vides the state estimation which wouldcorrespond to a predefined value ofsome unknown parameter that can berelated to the presence/absence offaults or icing. Under some conditions,the diagnosis can be performed byanalysing which observer exhibits the

smallest output estimation errorenergy.

On the other hand, the presence ofuncertainty, disturbances and noise isbeing addressed at NTNU using thetheory of interval observers. In contrastwith classical observers, which try toprovide an exact estimation of the state,interval observers are an appealingalternative that aims at providing theset of admissible values for the state ateach instant of time. In other words,assuming that the different sources ofuncertainties are constrained in knownbounded sets, an interval observer com-putes the lower and upper bounds forthe state, which are compatible with theuncertainty. By merging the aforemen-tioned UIO/MMAE with the theory ofinterval observers, robust fault diag-nosis approaches that assure theabsence of false alarms can beobtained. At the same time, intervalobservers can be integrated with faulttolerant control (FTC) techniques inorder to obtain a theoretical frameworkfor achieving robust fault/icing toler-ance in small unmanned aircraft.

The theoretical development is sup-ported by numerical simulations withhigh-fidelity simulators, and fieldexperiments are planned for the futurein order to test and validate the effi-ciency of the proposed techniques.

References:

[1] D. Rotondo et al., "Detection oficing an actuators faults in thelongitudinal dynamics of smallUAVs using an LPV proportionalintegral unknown input observers",Proc. of the 3rd Conf. on Controland Fault-Tolerant Systems(SysTol), Barcelona, Spain, 2016,pp. 690-697.

[2] D. Rotondo, V. Hassani, A.Cristofaro, "A multiple modelarchitecture for the adaptiveestimation of discrete-timesystems", accepted for publicationin Proc. of the IEEE AmericanControl Conference (ACC), 2017.

Please contact:

Damiano Rotondo, Tor Arne JohansenDepartment of EngineeringCybernetics, NTNU, [email protected],[email protected]

Figure�1:�Flight�test�at�Svalbard,�Norway.�Photo�by�Kjell�Sture�Johansen,�NORUT.�

Eu

rop

ea

n R

ese

arc

h a

nd

In

no

va

tio

n

Research and Innovation


bringing business

Processes to the Cloud

by Kyriakos Kritikos and Dimitris Plexousakis (ICS-FORTH)

Many organisations are considering moving their

business processes to the cloud to save money by also

taking advantage of its infinite and affordable resources.

However, this migration requires aligning the business

and cloud levels as well as adaptively managing the

business processes in the cloud. CloudSocket is a

project dealing with these issues, which facilitates the

transformation of business processes into business

process as a service (BPaaS) products offered by

organisations playing the role of a broker. A respective

platform has been produced which enables the

management of the whole lifecycle of a BPaaS.

In order to survive in a competitive and dynamic businessworld, organisations need to reduce costs and efficientlymanage and scale their core and supporting businessprocesses. As such, the cloud seems to be the right mediumfor deploying and adaptively provisioning these businessprocesses. However, moving a business process in the cloudcan be quite challenging. First, the business and IT levelsmust be aligned in such a way that the gap between businessrequirements and technical cloud-based capabilities can bebridged. Second, there is a need to appropriately manage anexecutable business process in the cloud such that it can bedynamically provisioned to guarantee the service levelagreed with the customer.

CloudSocket is a H2020 project [L1] which aims to addressthese needs. It ambitions to support the role of the brokerwhich has the ability to either offer BPaaS products in themarket or consult potential customers on how they canmigrate their business processes in the cloud. This projectoffers a BPaaS management platform [L2] that can deal withthe whole lifecycle of a BPaaS, thus constituting the maininstrument for realising the business of a broker. Such a plat-form comprises different environments which focus on dif-ferent activities of the BPaaS lifecycle.

The BPaaS Design Environment enables the broker to designbusiness processes and map them to abstract workflows. Thismapping is facilitated by two semantic approaches whichalso cater for the translation between business requirementsand technical capabilities: (a) one [1] focusing on annotatingbusiness process activities and workflow fragments withontological specifications to facilitate their alignment; (b)another focusing on a questionnaire-based approach whichguides the user to provide the right answers in the pursuit ofdiscovering cloud services that can realise the functionalityof a business process.

The abstract workflow developed by the previous environ-ment becomes concrete and deployable via the use of theBPaaS Allocation Environment. This environment is able toconcretise the abstract workflow by selecting SaaS servicesthat can realise workflow tasks as well as IaaS services tosupport the provisioning of the BPaaS workflow software


components. This concretisation is facilitated by two com-plementary research approaches: (a) one [2] which relies onsemantics and the concurrent selection of both IaaS and SaaSservices to optimise the broker non-functional objectives; (b)another [3] which uses a DMN [L3]-based approach map-ping decisions to quite technical description artefacts in theCAMEL [L4] language.

Deployable workflows are then offered in the form of aBPaaS bundle to potential customers via a Marketplace.Once such bundles are purchased by customers, they aredeployed in the cloud and adaptively managed via the inte-gration of three main components: (a) a Workflow Enginedealing with the workflow execution and management; (b) acloud orchestration engine (Cloudiator [L5]) dealing withthe cross-cloud workflow deployment; (c) a cross-layerservice monitoring and adaptation framework.

Finally, the lifecycle loop is closed via the BPaaS EvaluationEnvironment which attempts to offer various types ofanalysis over the BPaaS performance to produce added-value knowledge that can be used to optimise the BPaaS.This environment relies on a semantic approach which inte-grates and semantically lifts information coming from thethree components in the BPaaS Execution Environment intoa Semantic Knowledge Base (SKB) and adopts a transforma-tion approach to map high-level descriptions of KPIs to

aaSPB igesDWe

tenmnoirvn EgnellerdMo-bWe

alumiSss ecorPgsindinFaaSPB

B

s.vnoita:gs

aaSP irvn EniotaluavEhboasD-sesinsu BidrybH

tenmnoirdarhbo

We

enmyolDep,IPKrss PensiuB(

idrybH

elnerKtenmlignA

c tinameS

elle

rd

Mo

wlofkro

le W

ellerdMo-bWe

)stenemriueq Rten,ww,olfkroWss,ecor

ellerd Moid

elnerKel dMoaMet

IAP

ortionMsseocrPalumiSss ecorP

ptencoCors.vnoita

coPr

eginnEscitynal Aualpt

hboasDsesinsu BidrybH

g:inroitnMoaaSPB

eginnEg in Minsesc

darhbo

e sffotisLswlofkroWca PignesDaaSPB

elnerK

le W

batuecxE

l ev lehig Hseicvree:gakc

elnerK

IAP

AP

a DateMss ensiuBtaa DtaeMaaSPB

Bata

ta

aaSPB oirvn EniotuecxE

epacskroW-bWe

ralewdMidaaSPB

lodetffi lyllaictnameSg:inroitnMoaaSPB

tenmno

e

er

ata dglo

aaSPB lloA

le DdnuB

nIle dnuB

emriueq rtenmyolepde sff sotisL,swlofkroW

iotacAllo

.nvEniotacllo

erignesle D

rtoaitntas

steneml ev lehig H,seicvre

roitd en

ldMo

okflro WelbatuceExledMo

ss ecorss PensiuBle:dnuBaaSPB

elcyCefiLdnagnirnaLe

aaSPB

Pr

MLAS

w

eclap

etkrM

aaa

SPB

rotia Medata DsescoPr

eginn EwlofkroW

ginn Eeridvo PrduloC

reanag MeginnEitadaptA

egi

nnE

g inroitn

Mo

egin

en o

iotacAllo

AL S &IPK

ginicrP

roitd en

rtoideA

roitd e

inicrPA &LSd anIPKallo.pmo CerwatfoS

niotacallosceivrec SimotA

ledMo

omtuAvOeD

/PP//Igin

.callo

omCCC

ymloepDonitaomspvO

aaSS/

esicver SduloC

ttp neonmpd uolC

kcat StenymaaSPB

Figure�1:�CloudSocket�BPaaS�management�platform�architecture.

SPARQL [L6] queries to be assessed over the SKB so as tosupport KPI evaluation and drill-down.

Links:

[L1] www.cloudsocket.eu[L2] www.cloudsocket.eu/download[L3] www.omg.org/spec/DMN/[L4] www.camel-dsl.org[L5] github.com/cloudiator/[L6] www.w3.org/TR/rdf-sparql-query/

References:

[1] K. Hinkelmann, et al.: “A Modelling Environment forBusiness Process as a Service”, in CAiSE, Springer,2016.

[2] K. Kritikos, D. Plexousakis: “Multi-Cloud ApplicationDesign through Cloud Service Composition”, In Cloud,686-693, 2015.

[3] F. Griesinger, et al.: “A DMN-based Approach forDynamic Deployment Modelling of Cloud Applica-tions”, in International Workshop on Cloud Adoptionand Migration (CloudWays) at ESOCC, 2016.

Please contact:

Kyriakos Kritikos and Dimitris PlexousakisICS-FORTH, Greece{kritikos,dp}@ics.forth.gr

https://github.com/cloudiator


Shaping future –

A Method to Help orient

Science and technology

development toward

Public Preferences

by Martina Schraudner and Marie Heidingsfelder

(Fraunhofer IAO)

Our research project Shaping Future presents a

methodology for setting need-oriented research

agendas in the field of human-machine interaction.

Innovative technologies must reflect their socio-technicalcontext and conditions to be transferred into technical inno-vations; emerging from a techno-scientific world, they mustbe embedded into social practices to be successful. Agenda-setting processes have conventionally been determined byspecialists, largely because technology foresight faces adouble-bind problem known as the ‘Collingridge dilemma’.The full functionality and impact of a new technologycannot be easily predicted until this technology is suffi-ciently developed and widely used, after which time it is dif-ficult to make substantial changes [1]. In addition, currentlanguage-based methods predispose one to rely on pre-

existing terminology and schemas and thereby restrict one’sopenness and creativity while trying to picture desirablefuture developments.

In the project ‘Shaping Future’ we developed an original andinterdisciplinary methodology to integrate laypersons intothis otherwise mainly expert-driven process [2]. This processcomprises three major stages connected by two transferstages, clustering and transformation (see Figure 1). Each ofthese stages requires its own methodological approaches. (i)In a series of co-ideational workshops, we needed to enablelaypersons to articulate their preferences toward technolog-ical advances and the directions they might take. (ii) For theprofessional utilisation of these preferences, we needed todevelop a method to enable researchers from different back-grounds to understand each other, to interact on equal termsand to find interdisciplinary solutions based on thelayperson’s needs. (iii) Finally, for the dissemination ofresults, we publicly displayed a number of design fiction pro-totypes, developed by professional designers, in order to ini-tiate a widespread discourse about desirable technologicaladvances. Thus, the developed methodology can open the

processes of technology development and agenda-setting tothe general public.

The current results of Shaping Future suggest that methods ofparticipatory design and the social sciences can be adoptedand combined for participatory agenda-setting processes farbeyond the field of human-machine interaction [3]:• Participatory prototyping provides a particularly effective

technique for enabling laypersons to realise and exploretheir preferences toward prospective, as yet unknown,technological advances and the methods by which they areproduced. Overall, workshop participants considered thistechnique to be the key to the entire process. Buildingupon approaches from both participatory design and thesocial sciences, we developed an original, methodologi-cally sound procedure for data analysis. With the help ofthis procedure, we extrapolated laypersons’ preferencesfrom the aggregate data, comprising tangible objects, writ-ten descriptions, audios, and videos, and clustered thesepreferences. This refinement rendered the lay input notonly understandable and appealing to participating spe-cialists but also generally suitable for the purposes of tech-nology development.

• By transforming this input, participating specialists were,in turn, able to outline promising research trajectories.Going beyond the limits of language, our design-basedmethod enabled them to transcend everyday practicality,professional terminology and ‘silo-knowledge’[4].

• By publicly displaying design fiction prototypes, that give aphysical shape to the layperson’s needs and the expert’s eval-

uation, we intend to reach a larger audi-ence and ultimately engage a larger num-ber of people in technology foresight.

The methodology allows us to gobeyond preference articulation and toopen up a process of collaborativesense-making in the context of futuretechnologies.

The Shaping Future project is funded bythe German Federal Ministry for Education and Research(BMBF), project ID 16I1639.

References:

[1] A. F. Blackwell, et al.: “Radical innovation: crossingknowledge boundaries with interdisciplinary teams”,No. UCAM-CL-TR-760, University of Cambridge,Computer Laboratory, 2009.

[2] M. Heidingsfelder, et al.: “Shaping future – Adaptingdesign know-how to reorient innovation towards publicpreferences”, Technological forecasting and socialchange, 101, 291-298, 2015.

[3] M. L. Heidingsfelder, F. Schütz, S. Kaiser: “Expandingparticipation participatory design in technology agenda-setting”, in Proc. of the 14th Participatory Design Con-ference: Short Papers, Interactive Exhibitions, Work-shops-Volume 2, 25-28, ACM, 2016.

Please contact:

Martina Schraudner, Fraunhofer IAO- Fraunhofer Centerfor Responsible Research and Innovation, Berlin [email protected]


Figure�1:�The�Shaping�Future�process.


User-Centric Analysis of

the CAPtCHA Response

time: A New Perspective

in Artificial Intelligence

by Darko Brodić, Sanja Petrovska, Radmila Janković

(Univ. of Belgrade, Serbia), Alessia Amelio (Univ. of

Calabria, Italy) and Ivo Draganov (Technical University of

Sofia, Bulgaria)

The Completely Automated Public Turing Test to tell

Computers and Humans Apart (CAPTCHA) test is

designed to differentiate between human users and

bots. The time spent to find a solution to the CAPTCHA

test is correlated with particular demographic

characteristics of Internet users. This knowledge can be

used to predict which CAPTCHA tests are best suited to

different users.

CAPTCHA is an acronym of ‘Completely Automated PublicTuring Test to tell Computers and Humans Apart’. It is a test-puzzle verified by computers that has particular characteris-tics that make it only solvable by humans. Essentially, theCAPTCHA is used to differentiate computer users from botswhen they access a particular website. A bot (abbreviation ofrobot) is a software program that automatically runs tasks onthe Internet, which represent a security risk. If a user cor-rectly solves the CAPTCHA task, then the program willrecognise it as a human. Hence, the aim of the CAPTCHAtest is to identify attacks by bots.

Different CAPTCHA types have been proposed in the litera-ture. The most widespread types are: (i) text-based, charac-terised by text and/or numbers, and (ii) image-based, relatedto image recognition tasks. In text-based CAPTCHA types,the user is required to recognise text and/or numbers and

report them inside a text field. Figure 1 shows an example oftext-based CAPTCHA types.

In image-based CAPTCHA types, the user is required toidentify a certain image among a collection of images. It caninclude the identification of image types in a specific con-text, i.e. a house with numbers, an animated character, a pic-ture of the CAPTCHA or an old woman, and the identifica-tion of images related to psychological states in the context,i.e. a worried face or a surprised face. Figure 2 depicts anexample of image-based CAPTCHA types.

There has been relatively little research into the usability ofthe CAPTCHA test: how easy it is for a user to solve theCAPTCHA. The main limitations of the proposedapproaches to analysis are: (i) the number of users involvedin the analysis, which is quite small (i.e., the statistical signif-icance of the tested population), (ii) the reduced user popula-tion features, and (iii) the low number of consideredCAPTCHA types [1].

We extend the way of analysing CAPTCHA usability basedon the time spent for a user to find a solution to theCAPTCHA. We recruited approximately 200 volunteerusers for this study. Each user was interviewed to evaluatetheir time spent to solve the CAPTCHA test. Each user pro-vided anonymous personal data including: age, gender, edu-cation level and Internet experience (in number of years).Users included students, engineers, teachers, and employees,with ages ranging from 18 to 52 years, with different levelsof experience in Internet use. Each user was required to solvethe text and image-based CAPTCHA types and theirresponse times were recorded.

This data was analysed to determine whether a correlationexists between each demographic variable and the user’sresponse time to different CAPTCHAs. It is pursued by for-mulating statistical hypotheses describing such a correlation.Analysis should accept or reject the formulated hypotheses.Accordingly, the correlation coefficient and statistical tests

Figure�1:�Text-based�CAPTCHA�samples:�only�text�(left),�and�only�numbers�(right).

Figure�2:�Image-based�CAPTCHA

samples:�picture�of�CAPTCHA�(top),

and�surprised�face�(bottom)



are employed for analysis of this correlation [2]. This allowsus to determine whether education level or gender, forexample, has an impact on CAPTCHA response time, andthe strength of the impact.

Statistical analysis was extended further by investigating thecorrelation between a set of demographic features and theresponse time to different CAPTCHAs. It was performed byextracting association rules from the population data [3].They are rules expressing the dependence of the responsetime (e.g., high response time) from the co-occurrence ofsome demographic feature values (e.g., age below 35 yearsand female gender), and the strength of such a dependence.

The analysis demonstrates that number of years of Internetuse, young age and a higher education level help users toquickly solve the CAPTCHA test. Gender also has a smallimpact on CAPTCHA solving time. Older users require ahigher education level to solve the CAPTCHA with surprisedand worried faces. Finally, CAPTCHA with only numbers issolved more quickly than CAPTCHA with only text, whileimage-based CAPTCHA has the lowest resolution time, inparticular the animated character images.

This study offers invaluable insights to help predict whichCAPTCHAs are best suited to different Internet users. Itinvolves the University of Belgrade, Serbia, the Universityof Calabria, Italy, and the Technical University of Sofia,Bulgaria.

References:

[1] L. Ying-Lien, H. Chih-Hsiang: “Usability study of text-based CAPTCHAs”, Displays 32(2): 81-86, 2011.

[2] D. Brodić, S. Petrovska, M. Jevtić, Z. N. Milivojević:“The influence of the CAPTCHA types to its solvingtimes”, MIPRO: 1274-1277, 2016.

[3] D. Brodić, A. Amelio, I. R. Draganov: “Response TimeAnalysis of Text-Based CAPTCHA by AssociationRules”, AIMSA: 78-88, 2016.

Please contact:

Darko BrodićTechnical Faculty in Bor, University of BelgradeE-mail: [email protected]

How to Secure Internet

of things devices in an

Energy Efficient Way

by Zeeshan Ali Khan and Peter Herrmann (NTNU)

In our daily lives, we are surrounded by a plethora of

connected devices. But can we be sure that they are all

secure and will not start malicious attacks against us?

Many devices are small and have only limited

processing and battery power such that traditional

security mechanisms cannot be used. In this article, we

propose a trust-based intrusion detection system that is

resource-friendly and offers energy-efficient media

access.

Innovative technology plays an increasingly important rolein our daily lives. We deal not only with independentdevices, but with devices that communicate with each otherand form an Internet of Things (IoT). According to most pre-dictions, several billions of ‘things’ will be connected withthe internet in the coming years [L1]. Many of these con-nected devices will be very small and cheap such that theycan be placed wherever they are required. The interconnect-edness of the IoT devices and networks, however, poses asignificant risk since the systems will be subject to maliciousattacks. An example is denial of service attacks precludingthe devices from communicating with other stations.Therefore, security issues must be considered for the engi-neering and deployment of IoT networks. Further, theapplied security mechanisms have to address the limitationsof many devices in terms of memory, power, and bandwidth.Otherwise, the devices can be quickly depleted.

In the scope of an ERCIM fellowship, we propose the use ofIntrusion Detection Systems (IDS) to minimise the chancesof Denial of Service (DoS) attacks. Our solution concen-trates on attacks that actively try to omit crucial communica-tion between nodes. In ad-hoc networks, this can occur viainsider attacks in which the intruder manages to compromisethe routing capability of devices. To reduce the computingeffort for the small devices, we use trust management [1]which allows the emulation of trust relations in other entitiesby relatively lightweight but powerful mechanisms. In acomputer, one can describe the trust of an entity in anotherone by a trust value. Using special metrics, the trust valuescan be adapted based on the good and bad experiences onehas with a trustee over time. This reflects the development oftrust relations in quite a natural way. Moreover, operatorsexist that allow us to consider recommendations by third par-ties and to aggregate the trust values of several entities with atrustee to a more general reputation.

In [2], we introduced a trust-based IDS for the popularRouting Protocol for Low power and Lossy networks (RPL[L2]). An example of RPL based IoT network for Healthcareapplications is explained in Figure 1. In this approach, net-work nodes monitor the behaviour of adjacent nodes, e.g., bylistening to whether they forward messages as demanded bythe protocol. When a node forwards a message correctly


within a certain period of time, this counts as a positive expe-rience and otherwise as a negative one. Based on that, thepersonal trust values are amended and, by exchanging themwith other nodes, a more general reputation of a node is built.If the trust-building process reveals that a certain node has abad reputation among its neighbours, it is assumed to beinfected and can be quarantined.

To get practical evidence of our approach, we are in theprocess to create a test-bed consisting of Z1 devices runningthe operating system Contiki. First results show that the com-putations needed to build trust values are not computingintensive. On the other side, however, the trust based mecha-nisms seem to drain the often scarce battery supplies of anode. The main reason for that is that the monitoring of theneighbouring nodes is achieved by active channel listening,i.e., by constantly listening to the wireless network channelwhich is an energy intensive activity.

To overcome this problem, we have extended our work andpropose to use our approach to the media access protocolIEEE 802.15.4 [L3] that offers mechanisms to reduce activechannel listening. A first outcome of this extension is that abeacon-based mode with guaranteed time slots, offered bythis protocol, can reduce the active channel listening dramat-ically. Our simulations and analysis showed that the reduc-tion will be between 50 % and 75 %. Like with the RPL pro-tocol, the extension shall be further tested with our Z1-basedtest-bed.

Finally, we are in the process of developing a studyreviewing the state of the art of IDS existing for the IoT net-

works. Here, we will also look on existing systems forMobile Ad-hoc Networks (MANET), Wireless SensorNetworks (WSN) and Cyber Physical Systems (CPS) thathave properties close to IoT and might also be usable in thisarea.

Links:

[L1] www.woodsidecap.com/wp-content/uploads/2015/03/WCP-IOT-M_and_A-REPORT-2015-3.pdf

[L2] tools.ietf.org/html/rfc6550[L3] www.ieee802.org/15/pub/TG4.html

References:

[1] A. Jøsang: “A Logic for Uncertain Probabilities”, Inter-national Journal of Uncertainty, Fuzziness and Knowl-edge-based Systems, vol. 9, pp. 279-311, 2001.

[2] Z. A. Khan, P. Herrmann: “A Trust Based DistributedIntrusion Detection Mechanism for Internet of Things”,in 31st IEEE International Conference on AdvancedInformation Networking and Applications (AINA),Taipei, Taiwan, 2017.

[3] G. Swamynathan, K. C. Almeroth, B. Y. Zhao: “Thedesign of a reliable reputation system”, ElectronicCommerce Research, vol. 10, no. 3, pp. 239-270, 2010.

Please contact:

Zeeshan Ali Khan, Peter HerrmannNTNU Trondheim, [email protected], [email protected]

Figure�1:�An�Example�of�RPL�based�IoT�network,�for�Healthcare�Application.

https://tools.ietf.org/html/rfc6550


Security testing for Mobile

Applications

by Peter Kieseberg, Peter Frühwirt and Sebastian

Schrittwieser (SBA Research)

In recent years, standard end-to-end encryption

protocols have become increasingly popular for

protecting the security of network communication of

smartphone applications, as well as user privacy. On

the whole, this has been a good thing, but this reliance

has also resulted in several issues related to testing.

Software products have been becoming increasingly closelyconnected, particularly since the rise of mobile environ-ments. Even programs doing menial tasks now require theuser to go online, either to use cloud-based resources, orsimply because the software provider does not charge usersdirectly, but generates revenue by collecting and selling userpreferences and advertising space. While the latter is often tobe considered unethical, a study indicates that even those

who complain are actually quite willing to give up privacy ata rather small price (see also for the ‘privacy paradox’ [1]).

This increase in connectivity is accompanied by a largerattack surface open to potential malicious actors.Furthermore, the time to market of software products is get-ting shorter as the market is getting increasingly competitive,resulting in a virtual omnipresence of security issues in cur-rent productive software. Even more problematic is the factthat most of the issues currently impairing software securityare not based on new scientific findings or large-scale (crim-inal) organisations conducting intense research for new vul-nerabilities to put to criminal use, but rather exploit knownweaknesses introduced either by ignorance, or by puttingtrust into well-known security measures that were neverdesigned for the problem at hand.

While the first problem refers to the problem of diminishingresources during the software development process and canbe fixed using training, appropriate management and, mostimportantly, by setting aside resources, the latter is far moreproblematic and often touches at the very core of the designprocess of the software: Developers intrinsically assume cer-

tain aspects of their software and its use without furtheranalysing the real attack surface. One very prominentexample is the use of transport layer protection in mobileenvironments, with Transport Layer Security (TLS)[L1]being the de-facto standard for transport encryption. Duringa case study we analysed a set of mobile apps with respect tothe usage of this protocol. We focussed on mobile environ-ments since they possess some characteristics that are dif-ferent from typical web-based applications. Condensing theresults, we typically encountered two major issues with theuse of TLS:

1. TLS was designed to provide secure end-to-end commu-nication, always assuming the two endpoints to be trust-ed entities, i.e., removing them from the attacker model.Likewise, many software designers seem to assume thatthey possess full control over the client side of the soft-ware, which is clearly a problematic view in the case ofmobile apps, where the client needs to be identified as apotential attacker. Many reasons for client side attackscan be found, e.g., in the realm of mobile messengerapps, users could try to impersonate other people in orderto access or spoof messages. Particularly in apps that

require the user to pay for the servicesprovided, the motivation for attackingfrom the client side is rather straight-forward.

2.Developers seem to rely far too muchon the powers of TLS, even assumingcapabilities, a protocol for transportlayer protection can never hold up to.All TLS does is allow encrypted com-munication. ITLS cannot, for exam-ple, fix a protocol for authenticationthat is fundamentally flawed from alogical perspective. Nevertheless, wegot the impression that in many appsTLS is seen as the silver bullet to fixany security-related issues.

These issues should typically be uncovered during the testphase, but our study on many popular apps, including mobilemessengers, mobile games, social networks and even onlineticketing shops, revealed an astonishing number of insecureprotocols and a general misconception of the attacker sur-face. Our testing approach for uncovering insecure protocols(see [2] and [3]) relied on the fact that the smartphone the appis running on is under full control of us as adversaries, espe-cially since any attacker having physical access to the phonecan potentially manipulate hard- and software, including theoperating system (or even run the whole app on a emulatorwithout any actual smartphone). Since we controlled thesmartphone we could make the phone route all of the(encrypted) traffic through a proxy, which was also con-trolled by us (see Figure 1). While TLS protected the com-munication from the phone to the proxy and from the proxyto the server of the service provider of the app, all the infor-mation is visible on the proxy, thus making every aspect ofthe protocols visible for analysis. For this approach, onlystandard tools are required, not only making this a goodstrategy for attacking apps, but also a viable and cost-effec-tive measure for testing.


Figure�1:�Testing�approach.


In conclusion, it is clear that the topic of software testingneeds far more focus, especially considering the new dangersof fully integrated and interconnected environments as envi-sioned by ubiquitous computing and the ‘internet of things’.Based on the experiments carried out in order to grasp themajor problems and assess them, we will put our efforts intodefining a testing approach suitable for interconnected envi-ronments, starting with the design phase of the software.Furthermore, we plan to support this approach with tools thatwill speed up the testing process for well-known and impor-tant protocols. Nevertheless, one of the major issues stillprevalent with software testing, the issue of resources,cannot, in our opinion, be fixed on a technical level, butrequires far more awareness on the management level.

Link:

[L1] https://tools.ietf.org/html/rfc5246

References:

[1] P. A. Norberg, D. R. Horne, D. A. Horne. “The privacyparadox: Personal information disclosure intentions ver-sus behaviors”, in Journal of Consumer Affairs 41, no.1, 100-126, 2007.

[2] P. Kieseberg,et al.: “Security tests for mobile applica-tions – Why using TLS SSL is not enough”, in 2015IEEE Eighth International Conference on SoftwareTesting, Verification and Validation Workshops(ICSTW), 2015.

[3] R. Mueller, et al.: “Security and privacy of smartphonemessaging applications”, International Journal of Perva-sive Computing and Communications, vol. 11, 2015.

Please contact:

Peter Kieseberg, SBA Research, Vienna, [email protected]

53

u'smile – Secure Mobile

Environments

by Georg Merzdovnik, Damjan Buhov, Artemios G.

Voyiatzis and Edgar Weippl (SBA Research)

Protecting user security and privacy on the internet

takes more than transport layer security (TLS) and

strong cryptographic algorithms: utilizing TLS notary

services and certificate pinning for improved defences

against prevalent third-party tracking.

Smartphones and mobile devices are becoming an integralpart of life in the connected world. They allow easy access toinformation and content generation as well as consumption.A significant driving factor for their wide acceptance is theenormous number of available applications (commonlyreferred to as ‘apps’). For example, by the beginning of2017, the Google Play Store offered more than 2.6 millionapps for smartphones, ranging from games and weather appsto office suites and banking apps. While these applicationsoffer huge potential, they can also, either intentionally orinadvertently, pose a security and privacy risk to their users.

At the Josef Ressel Centre for User-friendly Secure MobileEnvironments (u'smile) we are analysing security issues incurrent and future mobile applications. We are working on:(i) the design, development, and evaluation of concepts,methods, protocols, and prototype implementations foraddressing security risks, and (ii) communication and co-ordination with industry partners and standardisation organi-sations with the goal of establishing globally accepted stan-dards for secure, interoperable mobile services.

One area that we are working on is the security and privacyof network communications of mobile apps and their cloud-based services. All published applications go through inspec-tion for malware behaviour before being published in theGoogle Play Store. However, user tracking and other formsof privacy leaks are still feasible, especially through adver-tisements included in apps and web applications to provide arevenue stream for the developers of free or low-priced soft-ware. A large number of tracker-blocking applications andapps are available for privacy-conscious users. We per-formed a large-scale study of the effectiveness of availabletracker-blocking tools [1], which showed that despite theirsophistication, tools cannot defend against all privacy leaks.Furthermore, a significant portion of applications transmitinformation over HTTP without establishing a secure con-nection over the TLS protocol (i.e., use HTTPS). This badpractice allows traffic interception and content inspection in-transit, increasing the threat of user tracking.

Digital certificates are used by TLS and allow verification ofthe identity of the server an app is connecting to as well assetting up a connection for exchanging information securely.Numerous certificate authorities come pre-installed inmodern mobile operating systems, all of which are equallytrusted by an app to offer a valid certificate for any internetserver. TLS notary services collect and distribute informa-tion from TLS certificates presented at various points on the

Links:

[L1] usmile.at/[L2] www.sba-research.org/

References:

[1] G. Merzdovnik et al.: “Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools”, in 2nd IEEEEuropean Symposium on Security and Privacy (IEEEEuro S&P), 2017.

[2] G. Merzdovnik et al.: “Whom you gonna trust? A longi-tudinal study on TLS notary services”, IFIP DBSec2016.

[3] D. Buhov, et al.: “Pin It! Improving Android networksecurity at runtime”, IFIP Networking 2016.

Please contact:

Georg Merzdovnik and Edgar WeipplSBA Research, Vienna, [email protected],[email protected]


internet. Upon connecting over HTTPS to a website, an appcan consult a TLS notary service and check if the presentedcertificate is the same as the one presented to other users. Ifnot, it might be a good indicator that the connection with theserver has been intercepted and a fake-but-valid certificatepresented to the user for nefarious purposes (i.e., a man-in-the-middle attack). We performed a longitudinal study ofopenly-accessible TLS notary services spanning one year[2]. Our findings indicate that while the offered service isindeed valuable for internet hygiene, there is currently littleincentive for service operators to cover the incurred costsand thus, their availability is dropping.

‘Certificate pinning’ is an approach used by highly-sensitiveapps (e.g., banking apps) to ensure that only selected, app-specific certificates are used to validate server identity.However, developers often fail to implement certificate pin-ning correctly. In some cases, this even breaks the normalTLS certificate validation procedure, rendering the app moreinsecure compared to not implementing certificate pinning atall. We designed, implemented, and demonstrated a system-level approach that transparently forces certificate pinningfor installed apps and thus, reduces their exposure to relatedattacks [3]. Our approach does not require developers toupdate their app. As a next step, we extended our designtowards a notary-assisted approach. This allows proper cer-tificate pinning even when the application is connecting witha web resource for the first time by relying on the collectiveknowledge already contributed to the TLS notary services.Also, the new design requires minimal if any intervention byusers; users are effectively freed from any uninformedsystem-level security decisions, which are otherwise acommon source of security problems.

Secure mobile environments are key building blocks for theInternet of Things (IoT) world. The need for security isbecoming increasingly apparent as self-managing mobiledevices and apps are deployed and operate transparently tothe users. Researchers at u’smile have been working on thistopic since October 2012. The Josef Ressel Center u’smile isfunded by: the Christian Doppler Gesellschaft (CDG); A1Telekom Austria AG; Drei-Banken-EDV GmbH; LG NexeraBusiness Solutions AG; NXP Semiconductors AustriaGmbH; and Österreichische Staatsdruckerei GmbH.


Alice

MalloryNotaries

Alice

MalloryNotaries

?Alice

MalloryNotaries

?Figure�1:�Example�of�TLS�notary�service�operation�–�the�connection�to�the�server�is�only�trusted�if�the�two�certificates�match.

https://usmile.at/


ARIES: Reliable European

Identity Ecosystem

by Nicolás Notario, Alberto Crespo (Atos), Antonio

Skarmeta, Jorge Bernal and José Luis Cánovas

(Universidad de Murcia)

ARIES (ReliAble euRopean Identity EcoSystem) will

provide secure privacy-preserving identity management,

effectively reducing the risk of identity fraud and crime.

Personal data and individual identities are becoming increas-ingly vulnerable in the virtual world, which facilitates inter-action between international stakeholders and the globalisa-tion of crime. Public trust in online security is waning owingto the current lack of adequate solutions, including appliedtechnologies and processes for trusted enrolment, identifica-tion and authentication processes. For example, mostcommon authentication means are usernames and pass-words, a solution that has been demonstrated to be vulner-able. Furthermore, there is a lack of a common EU wide con-cept of identity theft and room for improvement in the area ofreporting mechanisms (especially across borders) [1] whichcosts companies, countries and citizens billions of Euros infraud and theft. As acknowledged in the European Agenda onSecurity, ‘cybercrime is an ever-growing threat to citizens'fundamental rights and to the economy, as well as to thedevelopment of a successful Digital Single Market’ [2]

In this context, ARIES H2020 European research project [L1,L2] will enable secure, reliable and privacy-preserving iden-tity management and derivation techniques, both to allow asecure user interaction with services and to prevent / reducerisks of identity theft and fraud crimes. ARIES ecosystem

appears in the context of delivering a comprehensive frame-work and holistic approach of innovative technologies,improved processes and security features capable ofenhancing the European eID ecosystem and achieving a tan-gible reduction in levels of identity theft, fraud and associatedcrimes.

ARIES ecosystem (see Figure 1) will empower its users witha mechanism (identity virtualisation process) allowing themto generate virtual identities, simultaneously linked to the cit-izens’ biometrics and to existing digital or physical identitiespossessing a high level of identity assurance such as an eID orePassport. These virtual identities can be stored and managedthrough a secure wallet usually installed in the citizens' smart-phones. The usage of a convenient secure wallet to manageand present virtual identities will positively impact the usageof highly assured identities as it will avoid the usability issuesand technological fragmentation (multiple standards) ofphysical identities and related technologies across Europe.

The ARIES ecosystem allows and encourages users to com-bine different virtual identities that have a high contextualvalue (e.g., national eID and bank information for an onlinetransaction) into derived identities that minimises the datadisclosed (e.g., there may be no need to disclose the sex ofthe person) and that can be reused in further interactions.Cryptographic proofs for the identity enrolment, virtualisa-tion and derivation processes can be stored, with the consentof users, in a secure vault that provides guarantees ofintegrity, confidentiality, auditability and compliance onlyaccessible to law enforcement authorities when a cybersecu-rity incident occurs and when their assistance is required tohelp recover from an identity theft or loss [3].

The ecosystem will be demonstrated in two orthogonal realworld use cases. In the first, ARIES will allow users to

Figure�1:�ARIES�ecosystem.

securely connect to an online commerce site, enabling amutually trusted relationship without the need of disclosingnon-essential personal data. The second use case will focuson the enrolment process and physical access control to asecure-sensitive environment such as an airport. The airportscenario will effectively show how different derived identi-ties, with different levels of privacy, can be used in differentsituations (e.g., airport access control, boarding control andduty free shops) combining attributes with different levels ofassurance coming from different identity and attributeproviders (e.g., national eID or passport and electronicboarding passes).

In terms of social transformation factors, ARIES will con-tribute to lower several barriers, including end-user accept-ance, by providing a secure and privacy by design enabledsolution. ARIES will endow users with the ability to anchortrust on a secure and high level assurance infrastructure thatwill be used to derive additional virtual identities supportingdifferent levels of privacy-preserving and anonymizationcapabilities but relying on a law enforcement mechanism toobtain effective support in the event of identity-relatedcrimes. This will make users feel more secure in these eIDecosystems, which ultimately will encourage the use of elec-tronic identities and increase the trust in, and adoption of,ICT and online services across the EU by both citizens andbusinesses.

ARIES is a project that specifically aims to prevent andreduce the risk of identity theft and fraud crimes. This isachieved by the means of cryptographic links betweenderived, virtual and biometric identities and by the crypto-graphic proofs accessible at the secure wallet by law enforce-ment agencies that can leverage them when investigatingidentity crimes.

The ARIES project is a Research and Innovation Actionfunded by the European Commission’s Horizon 2020 pro-gramme and the consortium carrying it out consists of a well-balanced mixture from six European countries consisting ofindustry partners, SMEs, public law enforcement bodies andalso one retailer.

Links:

[L1] aries-project.eu/[L2] twitter.com/AriesH2020

References:

[1] N. Robinson et al.: “Comparative Study on Legislativeand Non Legislative Measures to Combat Identity Theftand Identity Related Crime”

[2] European Commission: “The European Agenda onSecurity”, COM (2015) 185 final.

[3] I. Naumann, G. Hogben: “Privacy features of EuropeaneID card specifications” Network Security, Vol. 2008.

Please contact:

Nicolás Notario, Atos Research & Innovation, [email protected]

Antonio Skarmeta, Jorge BernalUniversidad de Murcia, [email protected], [email protected]



the KandIStI/UMC online

open-Access Verification

framework

by Franco Mazzanti, Alessio Ferrari and Giorgio O.

Spagnolo (ISTI-CNR)

ISTI-CNR provides an online open-access environment

for the experimentation of design, analysis and

verification of UML-based system models. Great as a

didactic environment, it can successfully compete in

terms of friendliness and usability with the most

mainstream verification frameworks.

KandISTI [1] [L1] is an open-access, online, modelling andverification framework for software-intensive systemsdeveloped at ISTI by the FMT Laboratory. It is composed ofa set of experimental analysis/verification tools (CMC,FMC, UMC, VMC) of which UMC is the most advancedcomponent. To date, UMC has been applied to a range ofcase studies in the railway, automotive and telecommunica-tions fields [2,3].

In UMC, a system is defined as a set of communicating statemachines. Each state machine is described by a UMLStatechart. The dynamic behaviour of a UML system can be:interactively explored; visualised as an evolutions graph;summarised by a minimal set of traces; model-checked usinga parametric, branching-time state- and event-based, para-metric, temporal logic.

The development of UMC started in 2001 and since then hasbeen continuously improved with the support of several EUand regional projects (AGILE, SENSORIA, TRACE-IT). Ithas now reached version 4.4, and a maturity level that makesit usable not only for small prototypes but also for real-worldsystems.

The main feature of the framework is the high degree ofusability of all its functionalities; also for this reason it hasoften been used with satisfaction as a didactic environmentfor teaching and experimenting formal verification princi-ples, and for supporting PhD and master’s degree projects.

During the interactive exploration of the system behaviour, itis possible to observe all the internal details of the reachedsystem configurations. For each system component we canobserve: the values of its local variables; the status of theevent queue; the set of currently active states and fireabletransitions; and the set of possible next states reachable by arun-to-completion step performed by the component.

If we request the visualisation of the graph that models thepossible system evolutions, we can click over a node of thegraph to display all the internal details of the correspondingsystem state.

After the verification of a logic formula, it is possible torequest a detailed explanation of how the evaluation resulthas been reached. Given that the supported logic is a

http://aries-project.eu/

https://twitter.com/AriesH2020


kind of platform (Unix, Linux, Windows, macOS) to allinterested parties, while maintaining centralised control overits continuous improvement.

On the other hand, the web encapsulation allows a trans-parent integration of the locally developed tools (which arecommand-line oriented) with features provided from otherframeworks (like minimisations with ltsmin and visualisa-tion with graphviz), and allows the dynamic interactionswith the user to be exploited in a natural and user-friendlyway. For example, when the user clicks over a node of a visu-alised graph, a command is dispatched to a model explo-ration generation tool, which generates a new fragment of thestate-space. This is saved as a ‘.dot’ file, converted into ‘.svg’by another tool, embedded into an ‘.html’ document andvisualised again as a graph to the user. We are not aware ofany other free verification environment that provides a com-

parable support for the dynamic analysisof UML system designs.

The KandISTI project is a long-termISTI internal project. We have plans forimproving the framework in severaldirections, among which a greater inte-gration with other verification frame-works (like SPIN, LTSmin, CADP,NuSMV, mCRL2, DiVinE), a betterexploitation of parallel/multicore archi-tectures and the support of further speci-fication/design languages.

Link:

[L1] http://fmt.isti.cnr.it/kandisti

References:

[1] M.H. ter Beek, S. Gnesi, F. Maz-zanti: “From EU projects to a fami-ly of model checkers”, Software,Services, and Systems, LNCS Vol.8950, Springer, 2015, 312-328.

[2] F. Mazzanti, G.O. Spagnolo, S.Della Longa, A. Ferrari: “Deadlockavoidance in train scheduling: Amodel checking approach”, in Proc.of the 19th International Workshopon Formal Methods for IndustrialCritical Systems (FMICS’14),LNCS Vol. 8718, Springer, 2014,109-123.

[3] M.H. ter Beek, S. Gnesi, F. Maz-zanti, C. Moiso: “Formal Modellingand Verification of an Asynchro-nous Extension of SOAP”, in Proc.of the 4th IEEE European Confer-ence on Web Services(ECOWS’06), IEEE, 2006, 287-296.

Please contact:

Franco MazzantiISTI-CNR, [email protected]

57

branching-time logic, the counterexample does not have theshape of a simple execution trace. The explanation of thevalidity of a formula is indeed presented in an interactiveway, and at any step of the explanation it is possible toobserve all the internal details of the involved system config-urations.

These characteristics of the UMC environment make it par-ticularly suitable for the analysis and verification of designsin the early stages of system development, when the basicstructures and ideas are being initially drawn, and are stilllikely to contain errors that the tool can discover, and allowthe user to make sense of them.

The decision to make the overall framework publicly acces-sible through the web is driven by the desire to make UMCand the other tools accessible without overhead from any

Figure�1:�A�component�of�an�interlocking�model.

How Ecosystems of

e-Infrastructures

can support

blue Growth

The BlueBRIDGE H2020 project con-vened a one-day workshop on 11January 2017 in Brussels entitled“Understanding how ecosystems of e-infrastructures can support BlueGrowth”. The aim of the event was toshowcase how the Blue Growth sector isbenefitting from services that theBlueBRIDGE project has to offer. Thelatter primarily regard the combinationof existing

e-infrastructure services with an easy touse interface. The workshop also pro-vided the opportunity to further discussopportunities related to data manage-ment with e-Infrastructures.

The rapid developments of on-line dataservices and exponential growth of dataquantity require collaborative and com-puting intensive solutions that can onlybe available through e-Infrastructures. Acharacteristic of e-Infrastructures is there-use of existing solutions. Re-use ofexisting services is an effective way tosave time and money. This is theapproach adopted by the BlueBRIDGEproject and the thread of the presenta-tions of the event. BlueBRIDGEdelivers specialised data services foraquaculture farm management, theecosystem approach to fisheries, spatialdata analysis, and marine spatial plan-ning. These services are operatedthrough Virtual Research Environmentsbuilt on top of a hybrid-data infrastruc-ture. This hybrid-data infrastructure iscapable of dynamically federating com-puting and storage resources comingfrom third party providers, datasetsbelonging to heterogeneous data

sources, analytical tools developed bydifferent organisations, and to offer allof these services in a unique collabora-tive environment.

Several users have already adoptedBlueBRIDGE services to solve theirdata management issues.

The workshop [L1] brought togetherstakeholders operating in the Blue

Growth sector, all with data manage-ment challenges needing integratedsolutions. Blue Growth is the long termstrategy of the European CommissionDirectorate-General for MaritimeAffairs and Fisheries to support sustain-able growth in the marine and maritimesectors. The stakeholders ranged frominternational fisheries organisations, toorganisations providing scientificadvice and recommendations to policymakers and governments on marineprotected areas and fish stocks, to pri-vate enterprises providing support toaquafarms in evaluating their economicperformance, or in detecting areas tolocate cages, to academics and scien-tists supporting international fisheriescommissions in analysing marinespecies or performing environmental,societal and nutritional research.Representatives from the EuropeanCommission were also present. The fulllist of participants is available at [L2].

The Workshop discussion focused onthree main themes:

1. How data-driven science is shapingBlue Growth practices: PracticalInsights from BlueBRIDGE Users

2. How European e-infrastructures cansupport Blue Growth related data sci-ence and innovation

3. How the Blue Growth sector can ben-efit from the European Open ScienceCloud

Agenda and workshop presentations areavailable at [L1].


Events

The main findings of the report havebeen published a report, which is struc-tured as follows:• Section 1 presents the BlueBRIDGE

offer and approach.• Section 2 describes how users from

the Blue Growth sector are benefittingfrom the adoption of the Blue-BRIDGE services.

• Section 3 presents the main findingsof the final panel discussion focusingon the role that data-driven scienceand innovation plays in the BlueGrowth sector, on how European e-infrastructures concretely facilitatethis role and on how the Blue Growthsector will benefit

from the European Open Science Cloud.The report is available for download at[L3].

The BlueBridge project is coordinatedby ISTI-CNR, ERCIM EEIG providesadministrative and financial support.

[L1] www.bluebridge-vres.eu/agenda-bluebridge-workshop-11-january-2017-brussels-belgium

[L2] bluebridge-vres.eu/participants[L3] www.bluebridge-

vres.eu/sites/default/files/january-workshopreport.pdf

Please contact:

[email protected]

Panel�session�at�the�BlueBRIDGE�workshop.�

http://www.bluebridge-vres.eu/participants

In brief

A digital Humanities Award

for the EAGLE Project

The EU funded EAGLE Project – whose data aggregationand image processing infrastructure was implemented by theNeMIS Lab of ISTI-CNR – won the Digital HumanitiesAwards 2016 for the “Best DH Tool or Suite of Tools” cate-gory.

Digital Humanities Awards are a set of annual awards wherethe public is able to nominate resources for the recognition oftalent and expertise in the digital humanities community.These awards are intended as an awareness raising activity,to help put interesting DH resources in the spotlight andengage DH users (and general public) in the work of thecommunity.

EAGLE (Europeana network of Ancient Greek and LatinEpigraphy, a Best Practice Network partially funded by theEU) aggregates epigraphic material provided by some 15 dif-ferent epigraphic archives for ingestion to Europeana(www.europeana.eu/). The aggregated material is madeavailable to the scholarly community and the general publicfor research and cultural dissemination. EAGLE has defineda common data model for epigraphic information, into whichdata models from different archives can be optimallymapped. The data infrastructure is based on the D-NET soft-ware toolkit (www.d-net.research-infrastructures.eu) devel-oped by the InfraScience Research Group of the NeMIS Lab.A novel search feature offered by EAGLE and developed bythe Multimedia Information Retrieval Research Group of theNeMIS Lab is the possibility of visually searching for epi-graphic information. A picture of an inscription can be usedas a query to search for similar inscriptions or to obtain infor-mation on it. Visual inscription search leverages jointly ondeep learning techniques and index structures for large-scalesimilarity searching.

www.eagle-network.eudhawards.org/dhawards2016/results/

Call for Submissions

2017 best Practices

in Education Award

The Informatics Europe Best Practices in Education Awardis devoted to initiatives making Informatics education avail-able to all. To continue promoting teaching quality inInformatics, Informatics Europe presents every year theBest Practices in Education Award, which recognizes out-standing European educational initiatives that improve thequality of Informatics teaching and the attractiveness of thediscipline, and that can be applied beyond their institutionsof origin. On its 6th edition, the Award is devoted to cur-riculum and professional development initiatives for makingInformatics education available to all.

It will honor original contributions that emphasize suc-cessful initiatives for the teaching of informatics fundamen-tals in one of the following areas:• Reaching out to non-traditional audiences, e.g., in contin-

uing professional development or to senior citizens.• Educating the general public, e.g., with respect to data

security and privacy.• Including Informatics education in other curricula, e.g., in

general teacher training.

The Award, which carries a prize of 5.000 EUR, will be pre-sented at the 13th European Computer Science Summit, inLisbon, 23-25 October 2017, where the winner or winnerswill be invited to give a talk on their achievements.

www.informatics-europe.org/awards/education-award/call-for-submissions.html

Call for Nominations

Minerva Informatics Equality

Award

The 2017 Informatics Europe Minerva Award, sponsored byGoogle, is devoted to initiatives supporting the transition offemale PhD and postdoctoral researchers into faculty positions.

This is the second edition of the Minerva InformaticsEquality Award. The Award seeks to celebrate successful ini-tiatives that have had a measurable impact on the careers ofwomen within the institution. Such initiatives can serve asexemplars of best practices within the community, with thepotential to be widely adopted by other institutions.Nominations will need to demonstrate the impact that hasbeen achieved.

For 2017 examples of impact could include an improvedcareer development and better agreements on career plan-ning for female PhD students and postdocs as recorded inobjective surveys of staff experience, and increasing num-bers of female faculty. The Award carries a prize of € 5,000

59ERCIM NEWS 109 April 2017

The Informatics Europe Minerva Informatics EqualityAward recognizes best practices in Departments or Facultiesof European universities or research labs that have beendemonstrated to have a positive impact for women. On athree-year cycle the award will focus each year on a differentstage of the career pipeline:• Developing the careers of female faculty, including reten-

tion and promotion;• Supporting the transition of female PhD and postdoctoral

researchers into faculty positions;• Encouraging female students to enroll in Computer Sci-

ence/Informatics programmes and retaining them.

Deadlines:• Full nominations: June 1, 2017• Notification of winner(s): August 1, 2017

http://www.informatics-europe.org/awards/minerva-informatics-equality-award/cal-for-submissions-2017.html

dhawards.org/dhawards2016/results/

ERCIM is the European Host of the World Wide Web Consortium.

Institut National de Recherche en Informatique

et en Automatique

B.P. 105, F-78153 Le Chesnay, France

http://www.inria.fr/

VTT Technical Research Centre of Finland Ltd

PO Box 1000

FIN-02044 VTT, Finland

http://www.vttresearch.com

SBA Research gGmbH

Favoritenstraße 16, 1040 Wien

http://www.sba-research.org/

Norwegian University of Science and Technology

Faculty of Information Technology, Mathematics and Electri-

cal Engineering, N 7491 Trondheim, Norway

http://www.ntnu.no/

Universty of Warsaw

Faculty of Mathematics, Informatics and Mechanics

Banacha 2, 02-097 Warsaw, Poland

http://www.mimuw.edu.pl/

Consiglio Nazionale delle Ricerche

Area della Ricerca CNR di Pisa

Via G. Moruzzi 1, 56124 Pisa, Italy

http://www.iit.cnr.it/

Centrum Wiskunde & Informatica

Science Park 123,

NL-1098 XG Amsterdam, The Netherlands

http://www.cwi.nl/

Foundation for Research and Technology – Hellas

Institute of Computer Science

P.O. Box 1385, GR-71110 Heraklion, Crete, Greece

http://www.ics.forth.gr/FORTH

Fonds National de la Recherche

6, rue Antoine de Saint-Exupéry, B.P. 1777

L-1017 Luxembourg-Kirchberg

http://www.fnr.lu/

Fraunhofer ICT Group

Anna-Louisa-Karsch-Str. 2

10178 Berlin, Germany

http://www.iuk.fraunhofer.de/

SICS Swedish ICT

Box 1263,

SE-164 29 Kista, Sweden

http://www.sics.se/

Magyar Tudományos Akadémia

Számítástechnikai és Automatizálási Kutató Intézet

P.O. Box 63, H-1518 Budapest, Hungary

http://www.sztaki.hu/

University of Cyprus

P.O. Box 20537

1678 Nicosia, Cyprus

http://www.cs.ucy.ac.cy/

Subscribe to ERCIM News and order back copies at http://ercim-news.ercim.eu/

ERCIM – the European Research Consortium for Informatics and Mathematics is an organisa-

tion dedicated to the advancement of European research and development in information tech-

nology and applied mathematics. Its member institutions aim to foster collaborative work with-

in the European research community and to increase co-operation with European industry.

INESC

c/o INESC Porto, Campus da FEUP,

Rua Dr. Roberto Frias, nº 378,

4200-465 Porto, Portugal

I.S.I. – Industrial Systems Institute

Patras Science Park building

Platani, Patras, Greece, GR-26504

http://www.isi.gr/


Special theme Autonomous Vehicles - About | Aries...Open-Access Verification Framework by Franco...

Documents

Transcript of Special theme Autonomous Vehicles - About | Aries...Open-Access Verification Framework by Franco...